Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tekton pipeline deploy step fails - can't create directory: './chart/some-folder' permission denied #135

Closed
schijioke-uche opened this issue Jul 19, 2021 · 12 comments · Fixed by #137
Assignees
Labels
bug Something isn't working

Comments

@schijioke-uche
Copy link

schijioke-uche commented Jul 19, 2021

++ cat ./chart/base/Chart.yaml
++ yq r - name

  • export CHART_NAME=base
  • CHART_NAME=base
    CHART_NAME: base
  • echo 'CHART_NAME: base'
  • [[ base != \f\o\u\r-\m\e\t\r\i\c\s-\a\p\p ]]
    Renaming chart from base to four-metrics-app
  • echo 'Renaming chart from base to four-metrics-app'
  • cp -R ./chart/base ./chart/four-metrics-app
    cp: can't create directory './chart/four-metrics-app': Permission denied

DEPLOY-TASK-FAILED

@schijioke-uche
Copy link
Author

schijioke-uche commented Jul 19, 2021

Someone has the same issue at ticket#131 and there are 12 other people I know with the same issue - I think this issue is critical. Can this be resolved?

@schijioke-uche
Copy link
Author

There is issues with v2.7.1 deploy task: permission denied. can you please help fix it?
@triceam
@Hemankita
@seansund

@triceam
Copy link
Contributor

triceam commented Jul 20, 2021

@schijioke-uche What version of OpenShift? and does the user have admin or restricted access?

@schijioke-uche
Copy link
Author

schijioke-uche commented Jul 20, 2021

@triceam : v4.7.16 and the user have admin rights on the cluster.
In addition, here is the pipeline applied policy:

  • oc adm policy add-scc-to-user privileged -z pipeline
  • oc adm policy add-role-to-user edit -z pipeline

Thank you.

@schijioke-uche schijioke-uche changed the title tekton pipeline deploy task failed - can't create directory: permission denied tekton pipeline deploy step failed - can't create directory: permission denied Jul 21, 2021
@schijioke-uche schijioke-uche changed the title tekton pipeline deploy step failed - can't create directory: permission denied tekton pipeline deploy step fails - can't create directory: './chart/some-folder' permission denied Jul 21, 2021
@schijioke-uche
Copy link
Author

@triceam - any update?

@triceam
Copy link
Contributor

triceam commented Jul 26, 2021

@schijioke-uche still have not been able to recreate it yet. A few of us are trying to reproduce it

@lsteck lsteck self-assigned this Jul 26, 2021
@lsteck lsteck added the bug Something isn't working label Jul 26, 2021
@schijioke-uche
Copy link
Author

@lsteck : - any update about fixing this bug?

@lsteck
Copy link
Member

lsteck commented Aug 2, 2021

@schijioke-uche FYI @triceam @csantanapr

OK, I found root cause. GIT-CLONE step is running as root and DEPLOY step is running as devops.

I've found 2 ways to fix on 4.7. I need to test/verify these on 4.6 so until I can do that and push the fix to get you going you can edit the ibm-deploy-<version> (example ibm-deploy-v2-6-13) task in your project namespace and do one of the following:

  1. Add sudo chown -R "$(whoami)" "${CHART_ROOT}" line above the cp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}" line that is failing
  2. Add
    securityContext:
       runAsUser: 10000

To the git-clone step
For example it should look like this

  steps:
    - env:
         <lines omitted> 
      image: quay.io/ibmgaragecloud/alpine-git
      name: git-clone
      securityContext:
        runAsUser: 10000
      resources: {}

FYI you will have to make the same change to ibm-helm-release-v2-6-13 task

@lsteck
Copy link
Member

lsteck commented Aug 4, 2021

After testing on OCP 4.6 I believe it is best to put the securityContext on BOTH steps in deploy task (git-clone & deploy) and helm-release task(git-clone & package-helm).

TL;DR

On ocp 4.6 it looks like a random UID is selected and both steps in the task are ran as the same UID. That is why it currently works.

On ocp 4.7 the git-clone step is running as root and the deploy and package-helm steps are running as user devops as defined in the image: quay.io/ibmgaragecloud/ibmcloud-dev

@csantanapr
Copy link
Contributor

Wow 😯 Interesting find @lsteck

In OpenShift the default scc is to not run as root, did you added privilege scc to the pipeline service account ?

@csantanapr
Copy link
Contributor

csantanapr commented Aug 6, 2021

@lsteck
I proposed the following fix

Option 1:
Update any task that is trying to write in the directory /source that it moves the files to a new directory at the top level /source like /source/helm/

The user id in container 2 has write permissions to /source but not to /source/$gitrepofokderhelm so it should work

If this doesn't work then I will have the git-clone task do a chmod -R on /source to give read and write access to anyone so any following task can write files inside the git repo folder

@csantanapr
Copy link
Contributor

@schijioke-uche I fix the issue can you verify the fix using the release https://github.com/IBM/ibm-garage-tekton-tasks/releases/tag/v2.7.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
4 participants