This might not be the same cause or solution as git test receive wrapper fails so filing it separately.

Anon git push is broken again

remote: error: cannot lock ref 'HEAD': Unable to create '/home/b-ikiwiki/source.git/./HEAD.lock': Permission denied
To git://
 ! [remote rejected]     master -> master (failed to update ref)

Jon, 2020-10-06

It does not seem related to the other problem. I don't understand how it could have broken in a new way since I fixed it before. git has not been upgraded in the meantime. This is affecting more than one site, and the permissions do not seem obviously broken.

Since this is now seeming so fragile -- after working for about a decade, it's broken twice in a matter of months -- I'm questioning whether it's worth trying to keep the feature working. --Joey

Of course, that's got to be your call. I haven't made a great deal of use of it, but it does seem more convenient if one is working on an IkiWiki patch, as I can write the website notes about it in the same tree (although I then have to cherry-pick to push that to the live site, of course.). If you decide to drop it from, would you leave the code as-is, or drop it as broken? Any further clues what went wrong this time? Jon, 2021-01-13

The HEAD.lock permissions error does not come from the post-receive hook or from ikiwiki when it runs it. Instead, stracing git-daemon shows that it happens after ikiwiki has checked the push and accepted it, and exited successfully.

So the problem is that git-daemon is unable to write to the git repo.

drwxr-sr-x+ 8 b-git-annex b-git-annex 4096 Mar 29 17:07 /home/b-git-annex/source.git/

ikiwiki-hosting's ikisite is supposed to arrange for git-daemon to be able to write there by using an ACL, so something about that must be what is broken now. --Joey

Ok, found the problem. ikisite runs setfacl, and that does the right thing. Then ikisite runs chmod on the source.git directory (to make it suid as seen above). That seems to mess up the ACLs that were set earlier.

The diff from good to bad ACLs, as shown by getfacl is:

+group::rwx #effective:r-x
+group:ikiwiki-anon:rwx #effective:r-x
+group:b-ikiwiki:rwx    #effective:r-x
+group:b-git-annex:rwx  #effective:r-x

I don't understand ACLs or how a chmod could clear them but ok, ikisite needs to chmod before setting the ACLS.

This is not an ikiwiki bug and I'll fix it in ikisite-hosting then. done --Joey