-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permission denied when checking out source to /workspace #1608
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Comments
Doh! while it is mounted and then working in the previous initContainer step I guess the reason is when we did the refactoring we have missed the volumeMounting in there : https://github.com/tektoncd/pipeline/blob/master/pkg/pod/workingdir_init.go#L77-L82 /cc @imjasonh /assign |
chmouel
added a commit
to chmouel/tektoncd-pipeline
that referenced
this issue
Nov 23, 2019
Mounting volume was dropped when we did the large refactoring in d7f492c which basically making it ineffective and fails when not running as root. Readding it in there Closes tektoncd#1608 Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>
chmouel
added a commit
to chmouel/tektoncd-pipeline
that referenced
this issue
Nov 23, 2019
Mounting volume was dropped when we did the large refactoring in d7f492c which basically making it ineffective and fails when not running as root. Readding it in there Closes tektoncd#1608 Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>
chmouel
added a commit
to chmouel/tektoncd-pipeline
that referenced
this issue
Nov 24, 2019
Mounting volume was dropped when we did the large refactoring in d7f492c which basically making it ineffective and fails when not running as root. Readding it in there Closes tektoncd#1608 Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
When checking out a
PipelineResource
with a Git resource checking it out in/workspace
which run as user (as for example by default on OpenShift) the Git repository would probably be checked out in/workspace/src
.Actual Behavior
This would be denied and can't create directory in
/workspace
Steps to Reproduce the Problem
This is maybe an OpenShift specific issue or a K8s with a hardened policy to force running the pods as random user instead of privileged.
Running this on OpenShift4.2 with a simple Task with a PipelineResource of Git will do, i.e:
and run it with :
Additional Info
Weirdly enough this only appeared lately like for the last two weeks or so but can't find anything obvious in the git logs (perhaps that's an OpenShift 4.2 specific bug too).
Debugging a bit into this, this would fail into the
initContainers
that initialize the/workspace
directories.The first container which does the
credsInit
run fine and adding some debugs I can see that I have the sticky bit set to be able to write into/workspace
:While the second
initContainer
which does thedir-init
step would fail, adding als -l
just before doing themkdir -p
I can see that the the sticky bit has dropped in there andmkdir
would fail because we are running as user and directory is set as root :/kind bug
The text was updated successfully, but these errors were encountered: