Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buildpack Task still requires privileged access (run image: run-jammy-full) #1296

Open
novellat opened this issue Aug 8, 2024 · 2 comments
Open

Buildpack Task still requires privileged access (run image: run-jammy-full) #1296

novellat opened this issue Aug 8, 2024 · 2 comments

Comments

@novellat
Copy link

novellat commented Aug 8, 2024
edited
Loading

It is failing in the create step.

2024/08/07 13:37:33 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.docker: permission denied
2024/08/07 13:37:33 warning: unsuccessful cred copy: ".gitconfig" from "/tekton/creds" to "/": unable to open destination: open /.gitconfig: permission denied
2024/08/07 13:37:33 warning: unsuccessful cred copy: ".git-credentials" from "/tekton/creds" to "/": unable to open destination: open /.git-credentials: permission denied
ERROR: failed to exec as user 1001:1001: operation not permitted

Seems that it needs the root folder for whatever reason.
I've even tried to update the platform to 0.14, didn't help.

This is how it's called.

env:
  - name: CNB_PLATFORM_API
    value: '0.9'
  - name: DOCKER_CONFIG
name: create
resources: {}
args:
  - '-app=/workspace/source/.'
  - '-cache-dir=/workspace/cache'
  - '-cache-image=/workspace/cache'
  - '-uid=1001'
  - '-gid=1001'
  - '-layers=/layers'
  - '-platform=/platform'
  - '-report=/layers/report.toml'
  - '-process-type=web'
  - '-skip-restore=false'
  - '-previous-image=OUR_ARTIFACTORY/backstage-docker-local/bcp-diagnostics-bp-tkn-test:0.1.0.alpha'
  - '-run-image=OUR_ARTIFACTORY/dockerio/paketobuildpacks/run-jammy-full' # <<---MIND THIS, we updated it
  - OUR_ARTIFACTORY/backstage-docker-local/bcp-diagnostics-bp-tkn-test:0.1.0.alpha
command:
  - /cnb/lifecycle/creator
image: OUR_ARTIFACTORY/dockerio/paketobuildpacks/builder-jammy-base
imagePullPolicy: Always
securityContext:
  runAsGroup: 1000
  runAsUser: 1000
volumeMounts:
  - mountPath: /layers
    name: layers-dir
  - mountPath: /platform
    name: empty-dir

Why is it touching the root folder?
The quick fix is obvious, change the security context, but ideally we wounld't do that....
@vdemeester
Copy link
Member 

2024/08/07 13:37:33 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.docker: permission denied
2024/08/07 13:37:33 warning: unsuccessful cred copy: ".gitconfig" from "/tekton/creds" to "/": unable to open destination: open /.gitconfig: permission denied
2024/08/07 13:37:33 warning: unsuccessful cred copy: ".git-credentials" from "/tekton/creds" to "/": unable to open destination: open /.git-credentials: permission denied
ERROR: failed to exec as user 1001:1001: operation not permitted

Seems like HOME is not set (or set to /), which means it tries to copy things to $HOME/.gitconfig which translate to /.gitconfig, and / is root owned. Setting the HOME env would help fixing those (but those are warnings, the "credential" files are still there in /tekton/creds/…)

@novellat
Copy link
Author

interesting. What shall one set home to though? using this outdated guy https://raw.githubusercontent.com/tektoncd/catalog/master/task/buildpacks/0.6/buildpacks.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vdemeester @novellat