Fix permission issues

2023-07-16 17:08:30 +02:00 · 2023-07-16 17:08:30 +02:00 · 1ca5f2c591
commit 1ca5f2c591
parent 4d959940d9
2 changed files with 14 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -142,23 +142,26 @@ not being accessed/modified during this process. It is easy to access `yggdrasil
   ```sh
   /usr/local/sbin/restic-batch --config-dir /etc/restic-batch.d restore
   ```
-   Note that permissions and ownership are restored as a second step once all the content is
-   restored. Therefore, the files will list `root` as owner during the restoration.
-3. Start all the pod services with:
+3. Once restore has completed, `chown -R <user>:<user>` all the restored directories in
+   `/var/lib/<hostname>/data`. Restic restores the UID information of the host from which the backup
+   was performed which may not match that of the new target machine. Note that permissions and
+   ownership are restored as a second step once all the content is restored. Therefore, the files
+   will list `root` as owner during the restoration.
+4. Start all the pod services with:
   ```sh
   ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/services_start.yml
   ```
   Give them some time to download all the images and start.
-4. Once the CPU returns to idling check the state of all the pod services and their `veth`
+5. Once the CPU returns to idling check the state of all the pod services and their `veth`
   interfaces. If necessary restart the affected pod. Sometimes they fail to start (presumably due
   to issues related to limited CPU and RAM).
-5. Boot into a test VM. Ideally, one installed onto a virtual disk since the live system might not
+6. Boot into a test VM. Ideally, one installed onto a virtual disk since the live system might not
   have enough space. A VM is used to make sure that none of the services on the host workstation
   connect to `baldur` by accident.
-6. Modify `/etc/hosts` in the VM to point at `baldur` for all relevant domains.
-7. Test each service manually one by one. Use the Flagfox add-on to verify that you are indeed
+7. Modify `/etc/hosts` in the VM to point at `baldur` for all relevant domains.
+8. Test each service manually one by one. Use the Flagfox add-on to verify that you are indeed
   connecting to `baldur`.
-8. Stop all the pod services with:
+9. Stop all the pod services with:
   ```sh
   ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/services_stop.yml
   ```
--- a/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-chown.service
+++ b/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-chown.service
@ -15,12 +15,14 @@ ExecStart=/usr/bin/podman run \
                          --cgroups=no-conmon \
                          --pod-id-file %t/pod-cloud.pod-id \
                          --replace \
+                          -v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \
+                          -v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \
                          -v {{ services_data_directory }}/pod-cloud/external/_data:/media/external \
                          --user=0 \
                          --entrypoint="/bin/bash" \
                          --name=pod-cloud-chown \
                          docker.io/library/nextcloud:{{ services_deploy_versions.cloud.nextcloud }} \
-                          -c "chown -R www-data:www-data /media/external"
+                          -c "chown -R www-data:www-data /var/www/html /media/external"
 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-cloud-chown.ctr-id
 Type=oneshot