Comments (12)
Someone has the same issue at ticket#131 and there are 12 other people I know with the same issue - I think this issue is critical. Can this be resolved?
from ibm-garage-tekton-tasks.
There is issues with v2.7.1 deploy task: permission denied. can you please help fix it?
@triceam
@Hemankita
@seansund
from ibm-garage-tekton-tasks.
@schijioke-uche What version of OpenShift? and does the user have admin or restricted access?
from ibm-garage-tekton-tasks.
@triceam : v4.7.16 and the user have admin rights on the cluster.
In addition, here is the pipeline applied policy:
- oc adm policy add-scc-to-user privileged -z pipeline
- oc adm policy add-role-to-user edit -z pipeline
Thank you.
from ibm-garage-tekton-tasks.
@triceam - any update?
from ibm-garage-tekton-tasks.
@schijioke-uche still have not been able to recreate it yet. A few of us are trying to reproduce it
from ibm-garage-tekton-tasks.
@lsteck : - any update about fixing this bug?
from ibm-garage-tekton-tasks.
@schijioke-uche FYI @triceam @csantanapr
OK, I found root cause. GIT-CLONE step is running as root
and DEPLOY step is running as devops
.
I've found 2 ways to fix on 4.7. I need to test/verify these on 4.6 so until I can do that and push the fix to get you going you can edit the ibm-deploy-<version>
(example ibm-deploy-v2-6-13
) task in your project namespace and do one of the following:
- Add
sudo chown -R "$(whoami)" "${CHART_ROOT}"
line above thecp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}"
line that is failing - Add
securityContext:
runAsUser: 10000
To the git-clone step
For example it should look like this
steps:
- env:
<lines omitted>
image: quay.io/ibmgaragecloud/alpine-git
name: git-clone
securityContext:
runAsUser: 10000
resources: {}
FYI you will have to make the same change to ibm-helm-release-v2-6-13
task
from ibm-garage-tekton-tasks.
After testing on OCP 4.6 I believe it is best to put the securityContext on BOTH steps in deploy task (git-clone & deploy) and helm-release task(git-clone & package-helm).
TL;DR
On ocp 4.6 it looks like a random UID is selected and both steps in the task are ran as the same UID. That is why it currently works.
On ocp 4.7 the git-clone step is running as root and the deploy and package-helm steps are running as user devops as defined in the image: quay.io/ibmgaragecloud/ibmcloud-dev
from ibm-garage-tekton-tasks.
Wow 😯 Interesting find @lsteck
In OpenShift the default scc is to not run as root, did you added privilege scc to the pipeline service account ?
from ibm-garage-tekton-tasks.
@lsteck
I proposed the following fix
Option 1:
Update any task that is trying to write in the directory /source that it moves the files to a new directory at the top level /source like /source/helm/
The user id in container 2 has write permissions to /source but not to /source/$gitrepofokderhelm so it should work
If this doesn't work then I will have the git-clone task do a chmod -R on /source to give read and write access to anyone so any following task can write files inside the git repo folder
from ibm-garage-tekton-tasks.
@schijioke-uche I fix the issue can you verify the fix using the release https://github.com/IBM/ibm-garage-tekton-tasks/releases/tag/v2.7.2
from ibm-garage-tekton-tasks.
Related Issues (20)
- operator task using git clone https
- rename workingdir to workingDir HOT 1
- Pipeline error with gitlab
- if the git repo contains the name `deployment` the `deploy` step fails HOT 1
- when the deploy step fails because the chart is not there the message is confusing HOT 1
- tekton pipeline 'setup' task returned error: fatal: unable to access URL using bad/illegal format or missing URL HOT 3
- Build task fails on ocp4.7 HOT 1
- helm-release task can fail undetected and pipeline is still listed as successful
- Pipeline `ibm-ace-bar` fails on OCP 4.7 and v2.7.7 Tasks HOT 1
- In ocp4.9 and above, `igc pipeline` command fails but doesnot give any error. Tasks and pipelines get copied and get deleted itself in target namespace. HOT 1
- Sonar Scan step is failing after sonarqube helm version is upgraded to 4.0.2+325
- Pactbroker task is not running in tekton pipeline due to mismatch in pactbroker secret and url key
- Permission denied issue in deploy and helm-release tasks
- The node build task ignores the yarn.lock file
- Error registering pipeline: admission webhook "webhook.triggers.tekton.dev" denied the request: mutation failed: cannot decode incoming new object: json: unknown field "name" HOT 1
- Broken reference link to documentation - Artifactory Setup
- Cloudnative Toolkit installer is missing priviledged securityContext setup for pipeline ServiceAccount
- Tekton pipeline overhaul
- tag-release
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ibm-garage-tekton-tasks.