Feature Request: Move INTERNAL_TOKEN value out of app.ini

[minoru7]

• Gitea version (or commit ref): latest
• Git version: latest
• Operating system: Linux
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

I'd like to request that the INTERNAL_TOKEN value that is currently placed in the app.ini during Gitea startup be moved to a separate file/config than the user-defined app.ini. It should probably be placed in a lockfile, pid, or separate gitea-system-controlled config file, etc.

The reason for this is that a lot of organizations use automation tools such as Puppet, SaltStack, Ansible, etc. to deploy configurations to servers. If the app.ini (user-defined config file) is being managed by one of these, it will overwrite the existing app.ini that includes the INTERNAL_TOKEN. This is less than ideal, and obviously breaks the functioning of Gitea.

References:

• Gitea should offer a configcheck command #2762 Gitea should offer a configcheck command #2762
• A Push ends in: ! [remote rejected] lab -> lab (pre-receive hook declined) #3226 A Push ends in: ! [remote rejected] lab -> lab (pre-receive hook declined) #3226

[danielfbm]

same problem using kubernetes and configmaps, config files should not be used to save any kind of state

[xoxys]

Any chance to fix this in near future? It's annoying to use idempotent config management with this...

[strk]

Any chance to fix this in near future? It's annoying to use idempotent config management with this...

If you provide a pull-request chances are high that it will be merged

[xoxys]

👍 will have a look

[cdrage]

@xoxys @strk

Any updates? We are unfortunately blocked on this and we're unable to add Gitea as a Helm chart to Kubernetes since it's trying to write to app.ini... Despite app.ini only used for configuration, INTERNAL_TOKEN is being updated within in.

See errors: https://storage.googleapis.com/kubernetes-jenkins/pr-logs/pull/charts/3408/pull-charts-e2e/7056/build-log.txt

Also our Helm chart PR here: helm/charts#3408

[cdrage]

ping @lafriks

[cdrage]

Specifically:

I0326 19:50:47.406] ---Logs from container gitea in pod gitea-7056-1-gitea-5f94847576-krj5q:---
I0326 19:50:47.658] Generating /data/ssh/ssh_host_ed25519_key...
I0326 19:50:47.659] chown: /data/gitea/conf/app.ini: Read-only file system
I0326 19:50:47.659] Mar 26 19:32:40 syslogd started: BusyBox v1.26.2
I0326 19:50:47.659] Generating /data/ssh/ssh_host_rsa_key...
I0326 19:50:47.659] Generating /data/ssh/ssh_host_dsa_key...
I0326 19:50:47.660] Generating /data/ssh/ssh_host_ecdsa_key...
I0326 19:50:47.660] /etc/ssh/sshd_config line 32: Deprecated option UsePrivilegeSeparation
I0326 19:50:47.660] Mar 26 19:32:40 sshd[14]: Server listening on :: port 22.
I0326 19:50:47.660] Mar 26 19:32:40 sshd[14]: Server listening on 0.0.0.0 port 22.
I0326 19:50:47.661] 2018/03/26 19:32:40 �[1;31m[...s/setting/setting.go:924 NewContext()] [E] Error saving generated JWT Secret to custom config: open /data/gitea/conf/app.ini: read-only file system�[0m
I0326 19:50:47.661] chown: /data/gitea/conf/app.ini: Read-only file system
I0326 19:50:47.661] 2018/03/26 19:32:41 �[1;31m[...s/setting/setting.go:924 NewContext()] [E] Error saving generated JWT Secret to custom config: open /data/gitea/conf/app.ini: read-only file system�[0m
I0326 19:50:47.662] chown: /data/gitea/conf/app.ini: Read-only file system
I0326 19:50:47.662] 2018/03/26 19:32:42 �[1;31m[...s/setting/setting.go:924 NewContext()] [E] Error saving generated JWT Secret to custom config: open /data/gitea/conf/app.ini: read-only file system�[0m
I0326 19:50:47.662] chown: /data/gitea/conf/app.ini: Read-only file system

Which is causing the issue (Gitea is trying to write to app.ini when it shouldn't..)

[strk]

I guess any update would be mentioned here. Your best bet is providing a pull request

[lafriks]

@cdrage you can pregenerate token and other values using gitea cli command generate that was added in 1.4.0 (see https://docs.gitea.io/en-us/command-line/)

[cdrage]

@lafriks Yup. I saw from your other comments on the other issues. Yes, that helps with configuration and setting up your .ini file. However, this issue is regarding when INTERNAL_TOKEN isn't set, what gitea should do.

The problem is that app.ini or whatever configuration file you use, should be immutable when deploying (through Ansible, read-only file system, etc.)

My thinking:

If INTERNAL_TOKEN does not exist, the key should be automatically generated and set internally rather than being passed to the configuration file.

Reference:

gitea/modules/setting/setting.go

Line 924 in 96c268c

cfgSave.Section("security").Key("INTERNAL_TOKEN").SetValue(InternalToken)

I'll most likely push a PR later this week once I have enough time!

[Nodraak]

Hi @cdrage! I am very much interested in deploying Gitea with a k8s Chart. If you need any help (testing, review, code, ...), don't hesitate to ping me :)