Webhook not delivering after push

Hello,

I have a new gitea installation, and everything seems fine excepts that webhooks don’t seem to work.
For context it’s a Docker installation on arm64, something like a raspberry pi. Also, the webhook in question is from Drone CI.

The webhook is definitely correct, since the test deliveries are all successful:

image1187×276 6.03 KB

And even with all events enabled in the webook settings.

But nothing happens when I push or create a tag. And there’s nothing useful in the debug log either, it just shows that the push happened and nothing else.

Accepted publickey for git from 192.168.0.2 port 56207 ssh2: RSA SHA256:xxxxx
2022/11/03 15:46:28 ...ters/private/serv.go:412:ServCommand() [D] [6363d444] Serv Results:
        IsWiki: false
        DeployKeyID: 0
        KeyID: 1        KeyName: desktop
        UserName: haath
        UserID: 1
        OwnerName: haath
        RepoName: ci-test
        RepoID: 5
2022/11/03 15:46:28 [6363d444] router: completed GET /api/internal/serv/command/1/haath/ci-test?mode=2&verb=git-receive-pack for 192.168.0.2:0, 200 OK in 18.7ms @ private/serv.go:81(private.ServCommand)       
2022/11/03 15:46:28 [6363d444-2] router: completed POST /api/internal/ssh/1/update/5 for 192.168.0.2:0, 200 OK in 18.0ms @ private/key.go:18(private.UpdatePublicKeyInRepo)
Received disconnect from 192.168.0.2 port 56207:11: disconnected by user
Disconnected from user git 192.168.0.2 port 56207

And in my configuration I have all the following:

[server]
DISABLE_SSH      = false
OFFLINE_MODE     = false

[security]
DISABLE_GIT_HOOKS             = false
DISABLE_WEBHOOKS              = false

[webhook]
ALLOWED_HOST_LIST = *
DELIVER_TIMEOUT = 30

Everything else I’ve tried:

• Pushing on HTTPS instead of ssh
• Creating a new repository
• Checking for noexec flags

After some more testing I found also this: webhooks are triggered when creating a pull request.

However still nothing when pushing commits, or tags, or even updating pull requests.

I narrowed it down to the post-receive.d/gitea hook.

The file appears to always fail test -x inside the container, event though it has 777 permissions.

And it’s definitely executable, I can run it inside the container as any user.

Any suggestions would be very welcome…

FAQ Push Hook / Webhook aren’t running

So I’m also having the same issue and have made same observations as @haath’s comment above.
(‘test -x’ always failling)

Look like this might be the cause: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1916485

A really hacky and temporary workaround I’ve done for a couple of my repos is to replace ‘test -x’ with ‘/usr/bin/test -x’ in the hook scripts. This works for some reason according to that bug report and in my container.

A more permanent solution might be rebasing the docker image to one with the fixed bash/libseccomp/glibc?

Update:
It doesn’t seem like it’s the libseccomp issue.

The built-in test from bash fails with EACCES when trying to test for execute permissions for a file on a network share (NFS for me). However, the mount is mounted with exec option and I can execute the file.

It seems like using stat(2) works ok on a local docker with NFS mounts, access(2) also works ok on my deployed docker with NFS, but the bash built-in uses faccessat2(2), which returns EPERM.

It does say in the man page for faccessat2(2) that these calls may not work correctly on NFSv2 or FUSE mounts. However, I am using NFSv3, so it might be the docker fuse mounts.