paperless-mail-ingest runbook: manual mail_fetcher must drop to the paperless user
All checks were successful
ci/woodpecker/push/default Pipeline was successful

A root-run kubectl exec mail_fetcher downloads attachments root-owned into
the scratch dir and the celery consumer (uid 1000) fails with
PermissionError — found during the build E2E. Document s6-setuidgid usage
and the recovery step.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-07-03 14:26:12 +00:00
parent 77fcb08e8e
commit 68b9858eff

View file

@ -65,7 +65,15 @@ The map lives in **two places by design** — keep them in sync:
## Operations ## Operations
- **Trigger a fetch immediately** (instead of waiting ≤10 min): - **Trigger a fetch immediately** (instead of waiting ≤10 min):
`kubectl -n paperless-ngx exec deploy/paperless-ngx -c paperless-ngx -- python3 manage.py mail_fetcher` `kubectl -n paperless-ngx exec deploy/paperless-ngx -c paperless-ngx -- s6-setuidgid paperless python3 manage.py mail_fetcher`
The `s6-setuidgid paperless` is **required**: `kubectl exec` runs as root, and a
root-run fetcher downloads attachments root-owned into the scratch dir, which
the celery consumer (uid 1000) then can't read — `PermissionError` on
`/tmp/paperless/paperless-mail-*/...`, consume task FAILURE (hit during the
2026-07-03 build E2E). The mail correctly stays in INBOX for retry (the move
action is a chord callback on successful consumption). Recover: `rm -rf
/tmp/paperless/paperless-mail-*` (as root) and let the next scheduled fetch
re-process.
- **Mailbox credentials:** Vault `secret/platform``mailserver_accounts` - **Mailbox credentials:** Vault `secret/platform``mailserver_accounts`
JSON, key `docs@viktorbarzin.me` (also used by the paperless mail account). JSON, key `docs@viktorbarzin.me` (also used by the paperless mail account).
- **Inspect the mailbox:** - **Inspect the mailbox:**