Container pods fail with EACESS when using a custom user #3517
Labels
bug
Something isn't working
gha-runner-scale-set
Related to the gha-runner-scale-set mode
needs triage
Requires review from the maintainers
Checks
Controller Version
0.9.0
Deployment Method
Helm
Checks
To Reproduce
Describe the bug
The worker fails, with this error:
EACCES: permission denied, open '/__w/_temp/_runner_file_commands/set_env_8e7dea0f-bec9-4fd6-9b11-824b0bb16a6c'
When running
id
in the workflow pod, the container user is correctly added to the group1001
. The issue seems to be that the runner pod creates the files, but they are not writable by the runner group, only the runner user (note the mode is-rw-r--r--
, not-rw-rw-r--
:Describe the expected behavior
I expect the container to be able to run, as long as it has the correct
fsGroup
applied. If I set insteadsecurityContext.runAsUser: 1001
, it gets further, but later fails because our functionality expects the UID to match what the image was built with.Additional Context
Runner
values.yaml
:templates
ConfigMap:This the same error message as #3505, except the container
fsGroup
is set using the hook.Controller Logs
https://gist.github.com/kwohlfahrt/1d45d62aa963e4a4eec2ca6b04c2cc19
Runner Pod Logs
https://gist.github.com/kwohlfahrt/1d45d62aa963e4a4eec2ca6b04c2cc19 (note the runner logs are from a different run, I didn't manage to capture both at the same time).
The text was updated successfully, but these errors were encountered: