start: insufficient permissions to directories

Fixed a bug where an error did not appear when access rights
to the var directive were insufficient.

Closes #1238

Author: r.inyakin

CHANGELOG.md

@@ -13,6 +13,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Fixed
 
+- `tt start`: fixed a bug where an error did not appear when access rights
+  to the var directive were insufficient.
+
 ## [2.12.0] - 2026-03-30
 
 This maintenance release marks the end of active development on the v2

cli/cmd/start.go

@@ -10,6 +10,7 @@ import (
 	"sync"
 	"syscall"
 
+	"github.com/apex/log"
 	"github.com/spf13/cobra"
 	"github.com/tarantool/tt/cli/cmd/internal"
 	"github.com/tarantool/tt/cli/cmdcontext"
@@ -92,9 +93,12 @@ func startInstancesInteractive(cmdCtx *cmdcontext.CmdCtx, instances []running.In
 		prefix := running.GetAppInstanceName(instCtx) + " "
 		wg.Add(1)
 		go func(inst running.InstanceCtx) {
-			running.RunInstance(ctx, cmdCtx, inst,
+			err := running.RunInstance(ctx, cmdCtx, inst,
 				running.NewColorizedPrefixWriter(os.Stdout, clr, prefix),
 				running.NewColorizedPrefixWriter(os.Stderr, clr, prefix))
+			if err != nil {
+				log.Error(err.Error())
+			}
 			wg.Done()
 		}(instCtx)
 	}

cli/running/running.go

@@ -26,6 +26,7 @@ import (
 	"github.com/tarantool/tt/cli/util/regexputil"
 	libcluster "github.com/tarantool/tt/lib/cluster"
 	"github.com/tarantool/tt/lib/integrity"
+	"golang.org/x/sys/unix"
 )
 
 const defaultDirPerms = 0o770
@@ -751,10 +752,15 @@ func FillCtx(cliOpts *config.CliOpts, cmdCtx *cmdcontext.CmdCtx,
 func RunInstance(ctx context.Context, cmdCtx *cmdcontext.CmdCtx, inst InstanceCtx,
 	stdOut, stdErr io.Writer,
 ) error {
-	for _, dataDir := range [...]string{inst.WalDir, inst.VinylDir, inst.MemtxDir, inst.RunDir} {
-		if err := util.CreateDirectory(dataDir, defaultDirPerms); err != nil {
-			return err
-		}
+	err := util.CreateDirectory(inst.LogDir, defaultDirPerms)
+	if err != nil {
+		return fmt.Errorf("failed to create log directory for instance %q: %s",
+			GetAppInstanceName(inst), err)
+	}
+
+	if err := syscall.Access(inst.LogDir, unix.W_OK); err != nil {
+		return fmt.Errorf("instance %q has non-writable log directory %q: %s",
+			inst.InstName, inst.RunDir, err)
 	}
 
 	logger := ttlog.NewCustomLogger(stdOut, "", 0)
@@ -789,15 +795,19 @@ func RunInstance(ctx context.Context, cmdCtx *cmdcontext.CmdCtx, inst InstanceCt
 
 // Start an Instance.
 func Start(cmdCtx *cmdcontext.CmdCtx, inst *InstanceCtx) error {
-	if err := createInstanceDataDirectories(*inst); err != nil {
-		return fmt.Errorf("failed to create a directory: %s", err)
-	}
 	logger, err := createLogger(inst)
 	if err != nil {
 		return fmt.Errorf("cannot create a logger: %s", err)
 	}
 	logger.Println("[INFO] Start") // Create a log file before any other actions.
 
+	if err := createInstanceDataDirectories(*inst); err != nil {
+		logger.Fatalf("[ERROR] Failed to create data directories for instance %q: %s",
+			inst.InstName,
+			err)
+		return fmt.Errorf("failed to create a directory: %s", err)
+	}
+
 	provider := providerImpl{cmdCtx: cmdCtx, instanceCtx: inst}
 	preStartAction := func() error {
 		if err := process_utils.CreatePIDFile(inst.PIDFile, os.Getpid()); err != nil {
@@ -966,6 +976,17 @@ Cluster config path: %q`, tntVersion.Str, inst.ClusterConfigPath)
 func StartWatchdog(cmdCtx *cmdcontext.CmdCtx, ttExecutable string, instance InstanceCtx,
 	args []string,
 ) error {
+	err := util.CreateDirectory(instance.LogDir, defaultDirPerms)
+	if err != nil {
+		return fmt.Errorf("failed to create log directory for instance %q: %s",
+			GetAppInstanceName(instance), err)
+	}
+
+	if err := syscall.Access(instance.LogDir, unix.W_OK); err != nil {
+		return fmt.Errorf("instance %q has non-writable log directory %q: %s",
+			instance.InstName, instance.RunDir, err)
+	}
+
 	appName := GetAppInstanceName(instance)
 	// If an instance is already running don't try to start it again.
 	// To restart an instance use tt restart command.

test/integration/start/test_start.py

@@ -1,3 +1,5 @@
+import os
+
 import pytest
 import tt_helper
 
@@ -109,3 +111,100 @@ def test_start_multi_inst(tt, tt_app, target):
 )
 def test_start_cluster(tt, tt_app, target):
     check_start(tt, tt_app, target)
+
+
+################################################################
+# Permission denied
+
+
+@pytest.mark.skipif(skip_cluster_cond, reason=skip_cluster_reason)
+@pytest.mark.skipif(
+    os.getuid() == 0,
+    reason="Skipping the test, it shouldn't run as root",
+)
+@pytest.mark.tt_app(**tt_cluster_app)
+@pytest.mark.parametrize(
+    "tt_running_targets",
+    [
+        pytest.param([], id="running:none"),
+    ],
+)
+@pytest.mark.parametrize(
+    "denied_dir, expect_console_error",
+    [
+        pytest.param(["var"], True, id="var_denied"),
+        pytest.param(["var", "log"], True, id="var_log_denied"),
+        pytest.param(["var", "lib"], False, id="var_lib_denied"),
+    ],
+)
+def test_start_permission_denied(tt, tt_app, denied_dir, expect_console_error):
+    target_dir = tt_app.path(*denied_dir)
+    os.makedirs(target_dir, exist_ok=True)
+    os.chmod(target_dir, 0o444)
+
+    try:
+        rc, out = tt.exec("start")
+
+        if expect_console_error:
+            assert rc != 0
+            assert "permission denied" in out.lower()
+        else:
+            assert rc == 0
+
+            logs = list(tt_helper.log_files(tt_app, tt_app.instances))
+            assert utils.wait_files(5, logs)
+
+            error_found = False
+            for log_file in logs:
+                with open(log_file, "r") as f:
+                    if "permission denied" in f.read().lower():
+                        error_found = True
+                        break
+
+            assert error_found, "Permission denied error was not found in logs."
+    finally:
+        os.chmod(target_dir, 0o755)
+
+
+@pytest.mark.skipif(skip_cluster_cond, reason=skip_cluster_reason)
+@pytest.mark.skipif(
+    os.getuid() == 0,
+    reason="Skipping the test, it shouldn't run as root",
+)
+@pytest.mark.tt_app(**tt_cluster_app)
+@pytest.mark.parametrize(
+    "tt_running_targets",
+    [
+        pytest.param([], id="running:none"),
+    ],
+)
+def test_start_permission_denied_permissions_denied_files(tt, tt_app):
+    rc, _ = tt.exec("start")
+    assert rc == 0
+    assert utils.wait_files(5, tt_helper.pid_files(tt_app, tt_app.instances))
+
+    rc, _ = tt.exec("stop", "-y")
+    assert rc == 0
+
+    log_dir = tt_app.path("var", "log")
+    lib_dir = tt_app.path("var", "lib")
+    run_dir = tt_app.path("var", "run")
+
+    dirs_to_lock = []
+    for data_dir in [log_dir, lib_dir, run_dir]:
+        for root, dirs, files in os.walk(data_dir, topdown=False):
+            dirs_to_lock.extend(os.path.join(root, f) for f in files)
+            dirs_to_lock.extend(os.path.join(root, d) for d in dirs)
+        dirs_to_lock.append(data_dir)
+
+    for d in dirs_to_lock:
+        os.chmod(d, 0o444)
+
+    try:
+        rc, out = tt.exec("start")
+        assert rc != 0
+        assert "permission denied" in out.lower()
+    finally:
+        for d in dirs_to_lock:
+            if os.path.exists(d):
+                os.chmod(d, 0o755)