Fix systemd NAMESPACE failures caused by missing ReadWritePaths dirs
data-refresh.service: use /tmp instead of /tmp/data_analyst_staging in ReadWritePaths — the subdirectory may not exist at service start, causing mount namespace setup to fail before any Exec* directive runs. deploy.sh: fix typo services/corporate-memory -> services/corporate_memory so the mkdir conditional actually matches the repo directory name. deploy.sh: add ReadWritePaths validation loop that auto-creates any missing directories listed in installed .service files before daemon-reload. This acts as a safety net against future NAMESPACE failures from new services.
This commit is contained in:
Petr
parent
80c5b902e0
commit
2181d490e9
2 changed files with 21 additions and 3 deletions
|
|
@ -202,7 +202,7 @@ if [[ -f "${REPO_DIR}/auth/password.py" ]]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Corporate memory directory
|
# Corporate memory directory
|
||||||
if [[ -d "${REPO_DIR}/services/corporate-memory" ]]; then
|
if [[ -d "${REPO_DIR}/services/corporate_memory" ]]; then
|
||||||
log "Setting up corporate memory directory..."
|
log "Setting up corporate memory directory..."
|
||||||
sudo /usr/bin/mkdir -p /data/corporate-memory
|
sudo /usr/bin/mkdir -p /data/corporate-memory
|
||||||
sudo /usr/bin/chown root:data-ops /data/corporate-memory
|
sudo /usr/bin/chown root:data-ops /data/corporate-memory
|
||||||
|
|
@ -238,6 +238,24 @@ for unit_file in "${REPO_DIR}"/services/*/systemd/*.service "${REPO_DIR}"/servic
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [[ "$SYSTEMD_CHANGED" == "true" ]]; then
|
if [[ "$SYSTEMD_CHANGED" == "true" ]]; then
|
||||||
|
# Ensure all ReadWritePaths directories exist before daemon-reload.
|
||||||
|
# ProtectSystem=strict uses mount namespaces for ReadWritePaths — if any
|
||||||
|
# listed path is missing, the service fails at NAMESPACE step before any
|
||||||
|
# Exec* directive runs. This loop prevents that class of failures.
|
||||||
|
log "Validating ReadWritePaths directories..."
|
||||||
|
for installed_unit in /etc/systemd/system/*.service; do
|
||||||
|
[[ -f "$installed_unit" ]] || continue
|
||||||
|
rw_paths=$(grep -oP '^ReadWritePaths=\K.*' "$installed_unit" 2>/dev/null || true)
|
||||||
|
for rw_path in $rw_paths; do
|
||||||
|
if [[ ! -d "$rw_path" ]]; then
|
||||||
|
log " Creating missing ReadWritePaths: $rw_path (required by $(basename "$installed_unit"))"
|
||||||
|
sudo /usr/bin/mkdir -p "$rw_path"
|
||||||
|
sudo /usr/bin/chown root:data-ops "$rw_path"
|
||||||
|
sudo /usr/bin/chmod 2770 "$rw_path"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
sudo /usr/bin/systemctl daemon-reload
|
sudo /usr/bin/systemctl daemon-reload
|
||||||
log " systemd daemon-reload completed"
|
log " systemd daemon-reload completed"
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
|
|
@ -15,9 +15,9 @@ EnvironmentFile=/opt/data-analyst/.env
|
||||||
Environment=PYTHONPATH=/opt/data-analyst/repo
|
Environment=PYTHONPATH=/opt/data-analyst/repo
|
||||||
Environment=CONFIG_DIR=/opt/data-analyst/instance/config
|
Environment=CONFIG_DIR=/opt/data-analyst/instance/config
|
||||||
|
|
||||||
# Write access to data directory and logs
|
# Write access to data directory, logs, and /tmp (for staging + lock file)
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
ReadWritePaths=/data /opt/data-analyst/logs /tmp/data_analyst_staging
|
ReadWritePaths=/data /opt/data-analyst/logs /tmp
|
||||||
PrivateTmp=false
|
PrivateTmp=false
|
||||||
|
|
||||||
# Sync can take a while for large tables
|
# Sync can take a while for large tables
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue