Git ownership issue in package

dev-cb

I set up a git repo to backup n8n workflows and credentials via a bash script which exports via npx n8n export and pushes the data to the repo. The script is started via crontab.

Now a while ago it was running perfectly, no issues. Then suddenly (I assume after package update or Cloudron update) it stopped. Git is not pushing anymore due to an repo ownership issue:

fatal: detected dubious ownership in repository at '/app/data/n8n-backup'
To add an exception for this directory, call:
git config --global --add safe.directory /app/data/n8n-backup

This is the directory content inkl. rights:

root@package:/app/data/n8n-backup# ll
total 28
drwxr-xr-x 5 cloudron cloudron 4096 Jul  7 06:00 ./
drwxr-xr-x 7 cloudron cloudron 4096 Jul  5 16:57 ../
drwxr-xr-x 8 cloudron cloudron 4096 Jul  6 20:47 .git/
-rw-r--r-- 1 cloudron cloudron  562 Jun 14 13:58 README.md
drwxr-xr-x 2 root     root     4096 Jul  7 06:00 credentials/
-rwxr-xr-x 1 cloudron cloudron  710 Jun 14 13:58 start-backup.sh*
drwxr-xr-x 2 root     root     4096 Jul  7 06:00 workflows/

The script start-backup.sh is started by the crontab, setup via the app cron settings in Cloudron UI. So its run as root. Also the git command is then called as root. Since the ownership of .git/ is cloudron git is having doubts and stops.

Now if I change the ownership of all content in /app/data/n8n-backup/ to root, then start the script, all works fine. But after an update of the app the ownership is reset to cloudron. Makes sense from security perspective I guess.

Following the suggested git solution (adding the repository directory to the safe list) I am facing the problem that I can not write in the file system:

root@package:/app/code# git config --global --add safe.directory /app/data/n8n-backup 
error: could not lock config file /root/.gitconfig: Read-only file system

Now adding the setting to the local config of the repository and switching back to cloudron ownership is not working either since git is not recognizing the git repository. Also if I run as user cloudron no success:

root@package:/app/data/n8n-backup# runuser -l cloudron -c 'git status' 
fatal: not a git repository (or any of the parent directories): .git

The su command helps with the git issue but does not work completely since then the npx command is not found.

Now I could probably add chown -R root:root /app/data/n8n-backup/ as first command to the script but I guess that is not the best way to go.

Anyone some ideas to help me solving this?

girish

The startup code of all packages change the ownership of the data to a non-root user. This is the reason for the change of ownership that you have noticed.

Ideally, your cron job can also run as non-root user (cloudron in this case). For this reason, keep the n8n-backup directory to always be cloudron user. With that in mind...

root@package:/app/data# mkdir myrepo
root@package:/app/data# chown -R cloudron:cloudron myrepo
root@package:/app/data# cd myrepo/
root@package:/app/data/myrepo# gosu cloudron:cloudron git init
hint: Using 'master' as the name for the initial branch. This default branch name
<blah blah>
Initialized empty Git repository in /app/data/myrepo/.git/
root@package:/app/data/myrepo# echo "hello world" > readme.txt
root@package:/app/data/myrepo# gosu cloudron:cloudron git add readme.txt 

At this point, you need the gitconfig to commit and push. So, create it under .git itself.

root@package:/app/data/myrepo# cat > .git/config
[user]
        name = Girish Ramakrishnan
        email = girish@cloudron.io
root@package:/app/data/myrepo# chown cloudron:cloudron .git/config
root@package:/app/data/myrepo# gosu cloudron:cloudron git commit -a -m 'first commit'
[master (root-commit) 5c8a66a] first commit
 1 file changed, 1 insertion(+)
 create mode 100644 readme.txt
root@package:/app/data/myrepo# gosu cloudron:cloudron git push https://brew.demo.cloudron.io/cloudron/testrepo.git master:main
Username for 'https://brew.demo.cloudron.io': cloudron
Password for 'https://cloudron@brew.demo.cloudron.io': 
Enumerating objects: 3, done.
Counting objects: 100% (3/3), done.
Writing objects: 100% (3/3), 229 bytes | 229.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: . Processing 1 references
remote: Processed 1 references in total
To https://brew.demo.cloudron.io/cloudron/testrepo.git
 * [new branch]      master -> main

I am not 100% sure if above is what you want, but maybe it gives you some ideas.

dev-cb

Hi @girish!

Thanks. I’ll check, but I guess This is working well so far ..

#!/bin/bash
 
# n8n auto backup process
 
# clean up to get all changes
 
rm -r /app/data/n8n-backup/workflows/
rm -r /app/data/n8n-backup/credentials/

# change directory
 
cd /app/code

# start export process
npx n8n export:workflow --backup --output /app/data/n8n-backup/workflows/
npx n8n export:credentials --backup --output /app/data/n8n-backup/credentials/ # save credentials encrypted
 
# npx n8n export:credentials --decrypted --backup --output /app/data/n8n-backup/credentials/ # save credentials decrypted
 
# Use gosu: gosu cloudron:cloudron cmd --param
 
# git add files, commit and push
gosu cloudron:cloudron git -C /app/data/n8n-backup/ add .
gosu cloudron:cloudron git -C /app/data/n8n-backup/ commit -m "Auto backup ($(date +'%Y-%m-%d'))"
gosu cloudron:cloudron git -C /app/data/n8n-backup/ push

# set ownership back to cloudron (fix)
 
chown -R cloudron:cloudron /app/data/n8n-backup/