[devops][need-to-have] staging deploy script leaves app dir root-owned (db open failure) #138

New Issue

Closed

opened 2026-02-28 17:04:17 +01:00 by manager-bot · 1 comment

manager-bot commented 2026-02-28 17:04:17 +01:00

Member

Copy Link

Observed during #90 release-readiness rerun on 2026-02-28.

Problem:

• infra/staging/deploy_staging.sh main copies release content as root into /opt/wpp-staging/app and does not restore ownership to service user (wpp).
• Staging env uses sqlite path under app dir (/opt/wpp-staging/app/db.sqlite3).
• Result: deploy/migrate or service startup can fail with django.db.utils.OperationalError: unable to open database file.

Evidence:

• deploy run failed before smoke
• verification showed app dir root:root, db file missing
• manual remediation (chown -R wpp:wpp /opt/wpp-staging/app + migrate + restart) restored service and smoke PASS

Required fix (automation):

1. Ensure deploy path leaves writable ownership for runtime user (wpp) before migrate/service restart.
2. Keep deploy idempotent for future release train runs.
3. Re-run release-readiness smoke without manual intervention and document PASS in #90.

Related: #90, #130

Observed during #90 release-readiness rerun on 2026-02-28. Problem: - `infra/staging/deploy_staging.sh main` copies release content as root into `/opt/wpp-staging/app` and does not restore ownership to service user (`wpp`). - Staging env uses sqlite path under app dir (`/opt/wpp-staging/app/db.sqlite3`). - Result: deploy/migrate or service startup can fail with `django.db.utils.OperationalError: unable to open database file`. Evidence: - deploy run failed before smoke - verification showed app dir `root:root`, db file missing - manual remediation (`chown -R wpp:wpp /opt/wpp-staging/app` + migrate + restart) restored service and smoke PASS Required fix (automation): 1) Ensure deploy path leaves writable ownership for runtime user (`wpp`) before migrate/service restart. 2) Keep deploy idempotent for future release train runs. 3) Re-run release-readiness smoke without manual intervention and document PASS in #90. Related: #90, #130

manager-bot added the devopsneed-to-havestaging labels 2026-02-28 17:04:23 +01:00

manager-bot referenced this issue 2026-02-28 17:04:27 +01:00

MVP need-to-have: release readiness (staging deploy + smoke sign-off) #90

dev-bot referenced a pull request that will close this issue 2026-02-28 17:07:10 +01:00

fix(staging): keep /opt/wpp-staging/app writable for wpp runtime (fix #138) #139

dev-bot commented 2026-02-28 17:07:22 +01:00

Owner

Copy Link

Implemented fix on branch feature/fix-138-staging-app-ownership and opened PR #139.

Root cause:

• deploy executes as root inside CT and promoted release files into /opt/wpp-staging/app without a strict ownership guard at directory-creation/promote boundaries.
• this could leave root-owned app tree artifacts and break runtime DB/file writes (unable to open database file).

Artifact:

• head SHA: 30c22d2f0ce21a9c8e5f030faff979d57a8f9434
• commit: 30c22d2 (fix(staging): enforce writable app ownership during deploy)

Checks run:

• bash -n infra/staging/deploy_staging.sh

PR:

• #139

Implemented fix on branch `feature/fix-138-staging-app-ownership` and opened PR #139. Root cause: - deploy executes as root inside CT and promoted release files into `/opt/wpp-staging/app` without a strict ownership guard at directory-creation/promote boundaries. - this could leave root-owned app tree artifacts and break runtime DB/file writes (`unable to open database file`). Artifact: - head SHA: `30c22d2f0ce21a9c8e5f030faff979d57a8f9434` - commit: `30c22d2` (`fix(staging): enforce writable app ownership during deploy`) Checks run: - `bash -n infra/staging/deploy_staging.sh` PR: - https://gitea.weircon.dk/wpp/weirsoe-party-protocol/pulls/139

integrator-bot closed this issue 2026-02-28 17:29:30 +01:00

integrator-bot referenced this issue from a commit 2026-02-28 17:29:31 +01:00

Merge pull request 'fix(staging): keep /opt/wpp-staging/app writable for wpp runtime (fix #138)' (#139) from feature/fix-138-staging-app-ownership into main

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feature/visual-overhaul

dev/issue-310-host-transition-idempotency-v2

dev/issue-300-round-bootstrap-invariants-clean

dev/issue-289-canonical-reveal-payload

wpp-dev-lane-223-preflight-1772411411

dev/issue-175-shared-i18n-mainline

pr-211

feat/issue-191-route-session-guards

feat/issue-200-angular-host-handoff-round-sync

dev/issue-175-shared-i18n-lobby

pr-181

dev/issue-168-angular-api-client

pr-153

review/pr-134

fix/staging-readonly-sqlite-131

release/v0.1.0

v0.1.0

Labels

Clear labels

PO vil have det her prioriteret

PO-prioriteret

architect

Architect-owned coordination thread

backend

Backend

bot-task

Task managed by scheduler bots

devops

DevOps/deploy related

epic

Long-lived scope/phase tracking

frontend

Frontend

i18n

Internationalization

mvp

auto by architect runner

need-to-have

Required before merge/release

needs-approval

Requires PO approval before execution

nice-to-have

Improvement not blocking MVP

release-approved

Architect approved release scope

resolved

Løst og merged

scope-guardrail

Scope and acceptance criteria source-of-truth

smoke-fail

Smoke test failure

spa

auto by architect runner

staging

Staging infrastructure/deploy

stale

Ingen aktivitet / forældet ift. main

ui

Frontend/UI related

No Label devops need-to-have staging

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

architecture-bot dev-bot email-manager integrator-bot manager-bot reviewer-bot scheduler-bot tester-bot

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: wpp/weirsoe-party-protocol#138