From 1ca5f2c591c3a0f7af41dc3a2286597268e6f1e8 Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Sun, 16 Jul 2023 17:08:30 +0200 Subject: [PATCH] Fix permission issues --- README.md | 19 +++++++++++-------- .../systemd/container-cloud-chown.service | 4 +++- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index c86be2e..c502aef 100644 --- a/README.md +++ b/README.md @@ -142,23 +142,26 @@ not being accessed/modified during this process. It is easy to access `yggdrasil ```sh /usr/local/sbin/restic-batch --config-dir /etc/restic-batch.d restore ``` - Note that permissions and ownership are restored as a second step once all the content is - restored. Therefore, the files will list `root` as owner during the restoration. -3. Start all the pod services with: +3. Once restore has completed, `chown -R :` all the restored directories in + `/var/lib//data`. Restic restores the UID information of the host from which the backup + was performed which may not match that of the new target machine. Note that permissions and + ownership are restored as a second step once all the content is restored. Therefore, the files + will list `root` as owner during the restoration. +4. Start all the pod services with: ```sh ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/services_start.yml ``` Give them some time to download all the images and start. -4. Once the CPU returns to idling check the state of all the pod services and their `veth` +5. Once the CPU returns to idling check the state of all the pod services and their `veth` interfaces. If necessary restart the affected pod. Sometimes they fail to start (presumably due to issues related to limited CPU and RAM). -5. Boot into a test VM. Ideally, one installed onto a virtual disk since the live system might not +6. Boot into a test VM. Ideally, one installed onto a virtual disk since the live system might not have enough space. A VM is used to make sure that none of the services on the host workstation connect to `baldur` by accident. -6. Modify `/etc/hosts` in the VM to point at `baldur` for all relevant domains. -7. Test each service manually one by one. Use the Flagfox add-on to verify that you are indeed +7. Modify `/etc/hosts` in the VM to point at `baldur` for all relevant domains. +8. Test each service manually one by one. Use the Flagfox add-on to verify that you are indeed connecting to `baldur`. -8. Stop all the pod services with: +9. Stop all the pod services with: ```sh ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/services_stop.yml ``` diff --git a/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-chown.service b/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-chown.service index f808f26..115f2a6 100644 --- a/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-chown.service +++ b/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-chown.service @@ -15,12 +15,14 @@ ExecStart=/usr/bin/podman run \ --cgroups=no-conmon \ --pod-id-file %t/pod-cloud.pod-id \ --replace \ + -v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \ + -v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \ -v {{ services_data_directory }}/pod-cloud/external/_data:/media/external \ --user=0 \ --entrypoint="/bin/bash" \ --name=pod-cloud-chown \ docker.io/library/nextcloud:{{ services_deploy_versions.cloud.nextcloud }} \ - -c "chown -R www-data:www-data /media/external" + -c "chown -R www-data:www-data /var/www/html /media/external" ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-cloud-chown.ctr-id Type=oneshot