Fix systemd NAMESPACE failures caused by missing ReadWritePaths dirs

data-refresh.service: use /tmp instead of /tmp/data_analyst_staging in ReadWritePaths — the subdirectory may not exist at service start, causing mount namespace setup to fail before any Exec* directive runs. deploy.sh: fix typo services/corporate-memory -> services/corporate_memory so the mkdir conditional actually matches the repo directory name. deploy.sh: add ReadWritePaths validation loop that auto-creates any missing directories listed in installed .service files before daemon-reload. This acts as a safety net against future NAMESPACE failures from new services.
2026-03-15 11:40:11 +01:00 · 2026-03-15 11:40:11 +01:00 · 2181d490e9
commit 2181d490e9
parent 80c5b902e0
2 changed files with 21 additions and 3 deletions
--- a/server/deploy.sh
+++ b/server/deploy.sh
@ -202,7 +202,7 @@ if [[ -f "${REPO_DIR}/auth/password.py" ]]; then
 fi

 # Corporate memory directory
-if [[ -d "${REPO_DIR}/services/corporate-memory" ]]; then
+if [[ -d "${REPO_DIR}/services/corporate_memory" ]]; then
    log "Setting up corporate memory directory..."
    sudo /usr/bin/mkdir -p /data/corporate-memory
    sudo /usr/bin/chown root:data-ops /data/corporate-memory
@ -238,6 +238,24 @@ for unit_file in "${REPO_DIR}"/services/*/systemd/*.service "${REPO_DIR}"/servic
    fi
 done
 if [[ "$SYSTEMD_CHANGED" == "true" ]]; then
+    # Ensure all ReadWritePaths directories exist before daemon-reload.
+    # ProtectSystem=strict uses mount namespaces for ReadWritePaths — if any
+    # listed path is missing, the service fails at NAMESPACE step before any
+    # Exec* directive runs. This loop prevents that class of failures.
+    log "Validating ReadWritePaths directories..."
+    for installed_unit in /etc/systemd/system/*.service; do
+        [[ -f "$installed_unit" ]] || continue
+        rw_paths=$(grep -oP '^ReadWritePaths=\K.*' "$installed_unit" 2>/dev/null || true)
+        for rw_path in $rw_paths; do
+            if [[ ! -d "$rw_path" ]]; then
+                log "  Creating missing ReadWritePaths: $rw_path (required by $(basename "$installed_unit"))"
+                sudo /usr/bin/mkdir -p "$rw_path"
+                sudo /usr/bin/chown root:data-ops "$rw_path"
+                sudo /usr/bin/chmod 2770 "$rw_path"
+            fi
+        done
+    done
+
    sudo /usr/bin/systemctl daemon-reload
    log "  systemd daemon-reload completed"
 fi
--- a/services/data_refresh/systemd/data-refresh.service
+++ b/services/data_refresh/systemd/data-refresh.service
@ -15,9 +15,9 @@ EnvironmentFile=/opt/data-analyst/.env
 Environment=PYTHONPATH=/opt/data-analyst/repo
 Environment=CONFIG_DIR=/opt/data-analyst/instance/config

-# Write access to data directory and logs
+# Write access to data directory, logs, and /tmp (for staging + lock file)
 ProtectSystem=strict
-ReadWritePaths=/data /opt/data-analyst/logs /tmp/data_analyst_staging
+ReadWritePaths=/data /opt/data-analyst/logs /tmp
 PrivateTmp=false

 # Sync can take a while for large tables