GIT_SYNC_PERMISSIONS not working for non-root user

[shubhamc183]

I am able to do a GIT clone with a non-root user i.e via different UID and GID passes as podSecurityContext.runAsUser and podSecurityContext.fsGroup.

But while using GIT_SYNC_PERMISSIONS, argument, as "0755" I am getting this below error.

INFO: detected pid 1, running init handler
I0317 12:48:55.834540      11 main.go:321]  "level"=0 "msg"="starting up"  "args"=["/git-sync"] "pid"=11
I0317 12:48:55.834621      11 main.go:574]  "level"=0 "msg"="cloning repo"  "origin"="git@bitbucket.org:XXXX/YYYY.git" "path"="/workspace"
I0317 12:49:26.223966      11 main.go:480]  "level"=0 "msg"="syncing git"  "hash"="719007cc322f9cd1d1e3141c99f899e2be860a8c" "rev"="HEAD"
I0317 12:49:27.144134      11 main.go:501]  "level"=0 "msg"="adding worktree"  "branch"="origin/feature_1.0" "path"="/workspace/rev-719007cc322f9cd1d1e3141c99f899e2be860a8c"
I0317 12:49:27.164566      11 main.go:524]  "level"=0 "msg"="reset worktree to hash"  "hash"="719007cc322f9cd1d1e3141c99f899e2be860a8c" "path"="/workspace/rev-719007cc322f9cd1d1e3141c99f899e2be860a8c"
I0317 12:49:27.164676      11 main.go:528]  "level"=0 "msg"="updating submodules"  
I0317 12:49:27.196228      11 main.go:541]  "level"=0 "msg"="changing file permissions"  "mode"="01363"
E0317 12:49:27.197236      11 main.go:347]  "msg"="failed to sync repo, aborting" "error"="error running command: exit status 1: { stdout: \"\", stderr: \"chmod: cannot read directory '/workspace/rev-719007cc322f9cd1d1e3141c99f899e2be860a8c': Permission denied\\n\" }" 

YAML Configuration

apiVersion: apps/v1
kind: Deployment
metadata:
  name: poc
spec:
  selector:
    matchLabels:
      app: poc
  replicas: 1
  template:
    metadata:
      labels:
        app: poc
    spec:
      securityContext:
        runAsUser: 1004
        fsGroup: 1004
      containers:
        - name: busybox
          image: busybox
          volumeMounts:
          - name: buildproperties
            mountPath: /opt/deployment/data # /opt/deployment is already present
            subPath: data
          stdin: true
      initContainers:
      - name: git-sync
        image: k8s.gcr.io/git-sync/git-sync:v3.2.2
        volumeMounts:
        - name: buildproperties
          mountPath: "/workspace"
        - name: ssh-key
          mountPath: /etc/git-secret/
          readOnly: true
        env:
        - name: GIT_SYNC_SSH
          value: "true"
        - name: GIT_KNOWN_HOSTS
          value: "false"
        - name: GIT_SYNC_REPO
          value: git@bitbucket.org:XXX/YYY.git
        - name: GIT_SYNC_BRANCH
          value: "master"
        - name: GIT_SYNC_DEST
          value: "data"
        - name: GIT_SYNC_ONE_TIME
          value: "true"
        - name: GIT_SYNC_PERMISSIONS
          value: "0777"
        - name: GIT_SYNC_ADD_USER
          value: "true"
        - name: GIT_SYNC_ROOT
          value: "/workspace"
      volumes:
      - name: buildproperties
        emptyDir: {}
      - name: ssh-key
        secret:
          secretName: bitbucket-ssh-key
          defaultMode: 0400

#97 (comment)

[shubhamc183]

@thockin

[thockin]

I0317 12:49:27.196228 11 main.go:541] "level"=0 "msg"="changing file permissions" "mode"="01363"

Weird. 01363 is octal for decimal 755.

The YAML you showed here says "0777" which doesn't match at all. Is this actually the YAML you used?

Some manual tests with k8s.gcr.io/git-sync/git-sync:v3.2.2

$ /git-sync -repo https://github.com/kubernetes/git-sync -root=/tmp/git -change-permissions=0755
I0318 16:45:06.955203      16 main.go:430]  "level"=0 "msg"="starting up"  "args"=["/git-sync","-repo","https://github.com/kubernetes/git-sync","-root=/tmp/git","-change-permissions=0755"] "pid"=16
I0318 16:45:06.955249      16 main.go:694]  "level"=0 "msg"="cloning repo"  "origin"="https://github.com/kubernetes/git-sync" "path"="/tmp/git"
I0318 16:45:07.985286      16 main.go:586]  "level"=0 "msg"="syncing git"  "hash"="d89ac710a2a6ead199fed3b3dd357adcdf8a5c6e" "rev"="HEAD"
I0318 16:45:08.472248      16 main.go:607]  "level"=0 "msg"="adding worktree"  "branch"="origin/master" "path"="/tmp/git/rev-d89ac710a2a6ead199fed3b3dd357adcdf8a5c6e"
I0318 16:45:08.493804      16 main.go:630]  "level"=0 "msg"="reset worktree to hash"  "hash"="d89ac710a2a6ead199fed3b3dd357adcdf8a5c6e" "path"="/tmp/git/rev-d89ac710a2a6ead199fed3b3dd357adcdf8a5c6e"
I0318 16:45:08.493855      16 main.go:635]  "level"=0 "msg"="updating submodules"  
I0318 16:45:08.530480      16 main.go:652]  "level"=0 "msg"="changing file permissions"  "mode"="0755"
^C

So the cmdline flag works

$ GIT_SYNC_PERMISSIONS=0755 /git-sync -repo https://github.com/kubernetes/git-sync -root=/tmp/git
I038 16:47:06.673523     220 main.go:430]  "level"=0 "msg"="starting up"  "args"=["/git-sync","-repo","https://github.com/kubernetes/git-sync","-root=/tmp/git"] "pid"=220
I0318 16:47:06.673670     220 main.go:694]  "level"=0 "msg"="cloning repo"  "origin"="https://github.com/kubernetes/git-sync" "path"="/tmp/git"
I0318 16:47:07.629322     220 main.go:586]  "level"=0 "msg"="syncing git"  "hash"="d89ac710a2a6ead199fed3b3dd357adcdf8a5c6e" "rev"="HEAD"
I0318 16:47:08.104860     220 main.go:607]  "level"=0 "msg"="adding worktree"  "branch"="origin/master" "path"="/tmp/git/rev-d89ac710a2a6ead199fed3b3dd357adcdf8a5c6e"
I0318 16:47:08.127173     220 main.go:630]  "level"=0 "msg"="reset worktree to hash"  "hash"="d89ac710a2a6ead199fed3b3dd357adcdf8a5c6e" "path"="/tmp/git/rev-d89ac710a2a6ead199fed3b3dd357adcdf8a5c6e"
I0318 16:47:08.127213     220 main.go:635]  "level"=0 "msg"="updating submodules"  
I0318 16:47:08.157185     220 main.go:652]  "level"=0 "msg"="changing file permissions"  "mode"="0755"
^C

So the env var seems to work. Something is not connecting between the error
lines you posted and the YAML you posted.

A few things to try:

1. make SURE the YAML you post is the YAML that corresponds to the errors shown.
2. try the -change-permissions=0755 flag instead of the env var?
3. make SURE you say "0755" and not "755"

If you can repro, maybe reduce it further?

$ docker run -ti -u 12345 --entrypoint sh k8s.gcr.io/git-sync/git-sync:v3.2.2

This gives you a shell with a non-root user. Then you can run git-sync
manually as I showed above. Remove anything that is not needed to show the
problem.

[shubhamc183]

I passed "0755" only when I got the error. I pasted the "0777" which was wrong.

I still get the same error.

NFO: detected pid 1, running init handler
I0319 17:29:09.805772      17 main.go:321]  "level"=0 "msg"="starting up"  "args"=["/git-sync"] "pid"=17
I0319 17:29:09.805863      17 main.go:574]  "level"=0 "msg"="cloning repo"  "origin"="git@bitbucket.org:XXX/YYYY.git" "path"="/workspace"
I0319 17:29:12.461170      17 main.go:480]  "level"=0 "msg"="syncing git"  "hash"="853e02460e42531d6d5704467e79c9a7fbbbc1fc" "rev"="HEAD"
I0319 17:29:13.502120      17 main.go:501]  "level"=0 "msg"="adding worktree"  "branch"="origin/master" "path"="/workspace/rev-853e02460e42531d6d5704467e79c9a7fbbbc1fc"
I0319 17:29:13.504833      17 main.go:524]  "level"=0 "msg"="reset worktree to hash"  "hash"="853e02460e42531d6d5704467e79c9a7fbbbc1fc" "path"="/workspace/rev-853e02460e42531d6d5704467e79c9a7fbbbc1fc"
I0319 17:29:13.504872      17 main.go:528]  "level"=0 "msg"="updating submodules"  
I0319 17:29:13.529875      17 main.go:541]  "level"=0 "msg"="changing file permissions"  "mode"="01363"
E0319 17:29:13.530934      17 main.go:347]  "msg"="failed to sync repo, aborting" "error"="error running command: exit status 1: { stdout: \"\", stderr: \"chmod: cannot read directory '/workspace/rev-853e02460e42531d6d5704467e79c9a7fbbbc1fc': Permission denied\\n\" }"  

But, when I passed in as args in the YAML I see "mode"="0755" only instead of its octal value. 01363, and the file permissions are changing.

INFO: detected pid 1, running init handler
I0319 17:36:14.088179      12 main.go:321]  "level"=0 "msg"="starting up"  "args"=["/git-sync","-change-permissions=0755"] "pid"=12
I0319 17:36:14.088289      12 main.go:574]  "level"=0 "msg"="cloning repo"  "origin"="git@bitbucket.org:XXXX/YYYY.git" "path"="/workspace"
I0319 17:36:53.601088      12 main.go:480]  "level"=0 "msg"="syncing git"  "hash"="853e02460e42531d6d5704467e79c9a7fbbbc1fc" "rev"="HEAD"
I0319 17:36:53.898264      12 main.go:501]  "level"=0 "msg"="adding worktree"  "branch"="origin/master" "path"="/workspace/rev-853e02460e42531d6d5704467e79c9a7fbbbc1fc"
I0319 17:36:53.901320      12 main.go:524]  "level"=0 "msg"="reset worktree to hash"  "hash"="853e02460e42531d6d5704467e79c9a7fbbbc1fc" "path"="/workspace/rev-853e02460e42531d6d5704467e79c9a7fbbbc1fc"
I0319 17:36:53.901366      12 main.go:528]  "level"=0 "msg"="updating submodules"  
I0319 17:36:53.928367      12 main.go:541]  "level"=0 "msg"="changing file permissions"  "mode"="0755"

[thockin]

Can you paste both YAMLs EXACTLY as you use them? It's possible something is parsing when it shouldn't be, but it's not in git-sync itself.

…

On Fri, Mar 19, 2021 at 10:43 AM Shubham Choudhary ***@***.***> wrote: I passed "0755" only when I got the error. I pasted the "0777" which was wrong. I still get the same error. NFO: detected pid 1, running init handler I0319 17:29:09.805772 17 main.go:321] "level"=0 "msg"="starting up" "args"=["/git-sync"] "pid"=17 I0319 17:29:09.805863 17 main.go:574] "level"=0 "msg"="cloning repo" ***@***.***:XXX/YYYY.git" "path"="/workspace" I0319 17:29:12.461170 17 main.go:480] "level"=0 "msg"="syncing git" "hash"="853e02460e42531d6d5704467e79c9a7fbbbc1fc" "rev"="HEAD" I0319 17:29:13.502120 17 main.go:501] "level"=0 "msg"="adding worktree" "branch"="origin/master" "path"="/workspace/rev-853e02460e42531d6d5704467e79c9a7fbbbc1fc" I0319 17:29:13.504833 17 main.go:524] "level"=0 "msg"="reset worktree to hash" "hash"="853e02460e42531d6d5704467e79c9a7fbbbc1fc" "path"="/workspace/rev-853e02460e42531d6d5704467e79c9a7fbbbc1fc" I0319 17:29:13.504872 17 main.go:528] "level"=0 "msg"="updating submodules" I0319 17:29:13.529875 17 main.go:541] "level"=0 "msg"="changing file permissions" "mode"="01363" E0319 17:29:13.530934 17 main.go:347] "msg"="failed to sync repo, aborting" "error"="error running command: exit status 1: { stdout: \"\", stderr: \"chmod: cannot read directory '/workspace/rev-853e02460e42531d6d5704467e79c9a7fbbbc1fc': Permission denied\\n\" }" But, when I passed in as args in the YAML I see "mode"="0755" only instead of its octal value. 01363, and the file permissions are changing. INFO: detected pid 1, running init handler I0319 17:36:14.088179 12 main.go:321] "level"=0 "msg"="starting up" "args"=["/git-sync","-change-permissions=0755"] "pid"=12 I0319 17:36:14.088289 12 main.go:574] "level"=0 "msg"="cloning repo" ***@***.***:XXXX/YYYY.git" "path"="/workspace" I0319 17:36:53.601088 12 main.go:480] "level"=0 "msg"="syncing git" "hash"="853e02460e42531d6d5704467e79c9a7fbbbc1fc" "rev"="HEAD" I0319 17:36:53.898264 12 main.go:501] "level"=0 "msg"="adding worktree" "branch"="origin/master" "path"="/workspace/rev-853e02460e42531d6d5704467e79c9a7fbbbc1fc" I0319 17:36:53.901320 12 main.go:524] "level"=0 "msg"="reset worktree to hash" "hash"="853e02460e42531d6d5704467e79c9a7fbbbc1fc" "path"="/workspace/rev-853e02460e42531d6d5704467e79c9a7fbbbc1fc" I0319 17:36:53.901366 12 main.go:528] "level"=0 "msg"="updating submodules" I0319 17:36:53.928367 12 main.go:541] "level"=0 "msg"="changing file permissions" "mode"="0755" — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#363 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKWAVBKCW4TWUJQZCGBT33TEOELZANCNFSM4ZMDKG7A> .

[shubhamc183]

Oh, my bad!

I was using version v3.1.6 actually but after correcting it to v3.2.2 the environment variable,GIT_SYNC_PERMISSIONS: 0755, chmod is working fine.