Pipe failing when run pipe with kustomize flag with permission denied issue

Anton Patronov December 14, 2021

pipe version: 2.2.0

After downloading artifacts from the previous step I try to run apply command with -k flag and I get an error:

(I've added ls command to show file permissions)


+ echo "Skipping git clone"
Skipping git clone

Artifact "deploy/**": Downloading
Artifact "deploy/**": Downloaded 609 B in 0 seconds
Artifact "deploy/**": Extracting
Artifact "deploy/**": Extracted in 0 seconds

Images used:
build : docker.io/atlassian/default-image@sha256:689e2c63e20a48e0a4d31156adcf32b4474dc32b50ab05abe3682b39fb9767a8
+ ls -l deploy
total 8
-rw-r--r--. 1 root root 735 Dec 14 21:00 cronjob.yaml
-rw-r--r--. 1 root root 207 Dec 14 21:00 kustomization.yaml

+ docker container run \
--volume=/opt/atlassian/pipelines/agent/build:/opt/atlassian/pipelines/agent/build \
--volume=/opt/atlassian/pipelines/agent/ssh:/opt/atlassian/pipelines/agent/ssh:ro \
--volume=/usr/local/bin/docker:/usr/local/bin/docker:ro \
--volume=/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes:/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes \
--volume=/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/atlassian/aws-eks-kubectl-run:/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/atlassian/aws-eks-kubectl-run \
--workdir=$(pwd) \
--label=org.bitbucket.pipelines.system=true \
--env=BITBUCKET_STEP_TRIGGERER_UUID="$BITBUCKET_STEP_TRIGGERER_UUID" \
--env=BITBUCKET_REPO_FULL_NAME="$BITBUCKET_REPO_FULL_NAME" \
--env=BITBUCKET_GIT_HTTP_ORIGIN="$BITBUCKET_GIT_HTTP_ORIGIN" \
--env=BITBUCKET_PROJECT_UUID="$BITBUCKET_PROJECT_UUID" \
--env=BITBUCKET_REPO_IS_PRIVATE="$BITBUCKET_REPO_IS_PRIVATE" \
--env=BITBUCKET_WORKSPACE="$BITBUCKET_WORKSPACE" \
--env=BITBUCKET_DEPLOYMENT_ENVIRONMENT_UUID="$BITBUCKET_DEPLOYMENT_ENVIRONMENT_UUID" \
--env=BITBUCKET_REPO_OWNER_UUID="$BITBUCKET_REPO_OWNER_UUID" \
--env=BITBUCKET_BRANCH="$BITBUCKET_BRANCH" \
--env=BITBUCKET_REPO_UUID="$BITBUCKET_REPO_UUID" \
--env=BITBUCKET_PROJECT_KEY="$BITBUCKET_PROJECT_KEY" \
--env=BITBUCKET_DEPLOYMENT_ENVIRONMENT="$BITBUCKET_DEPLOYMENT_ENVIRONMENT" \
--env=BITBUCKET_REPO_SLUG="$BITBUCKET_REPO_SLUG" \
--env=CI="$CI" \
--env=BITBUCKET_REPO_OWNER="$BITBUCKET_REPO_OWNER" \
--env=BITBUCKET_STEP_RUN_NUMBER="$BITBUCKET_STEP_RUN_NUMBER" \
--env=BITBUCKET_BUILD_NUMBER="$BITBUCKET_BUILD_NUMBER" \
--env=BITBUCKET_GIT_SSH_ORIGIN="$BITBUCKET_GIT_SSH_ORIGIN" \
--env=BITBUCKET_PIPELINE_UUID="$BITBUCKET_PIPELINE_UUID" \
--env=BITBUCKET_COMMIT="$BITBUCKET_COMMIT" \
--env=BITBUCKET_CLONE_DIR="$BITBUCKET_CLONE_DIR" \
--env=PIPELINES_JWT_TOKEN="$PIPELINES_JWT_TOKEN" \
--env=BITBUCKET_STEP_UUID="$BITBUCKET_STEP_UUID" \
--env=BITBUCKET_DOCKER_HOST_INTERNAL="$BITBUCKET_DOCKER_HOST_INTERNAL" \
--env=DOCKER_HOST="tcp://host.docker.internal:2375" \
--env=BITBUCKET_PIPE_SHARED_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes" \
--env=BITBUCKET_PIPE_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/atlassian/aws-eks-kubectl-run" \
--env=AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" \
--env=AWS_DEFAULT_REGION="$AWS_DEFAULT_REGION" \
--env=AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" \
--env=CLUSTER_NAME="dev1-eks-cluster" \
--env=KUBECTL_APPLY_ARGS="-k" \
--env=KUBECTL_COMMAND="apply" \
--env=RESOURCE_PATH="./deploy" \
--env=WITH_DEFAULT_LABELS="true" \
--add-host="host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" \
bitbucketpipelines/aws-eks-kubectl-run:2.2.0
Unable to find image 'bitbucketpipelines/aws-eks-kubectl-run:2.2.0' locally
2.2.0: Pulling from bitbucketpipelines/aws-eks-kubectl-run
07aded7c29c6: Pulling fs layer
1242903d2b23: Pulling fs layer
6feb96d3e4f9: Pulling fs layer
36bf03acdc50: Pulling fs layer
366f5e2f7043: Pulling fs layer
2efba0da2be9: Pulling fs layer
3a7c21493639: Pulling fs layer
d92dcd533b57: Pulling fs layer
50cf76112433: Pulling fs layer
c5f0bcebca98: Pulling fs layer
6a3894d8edd4: Pulling fs layer
72b74681051b: Pulling fs layer
2efba0da2be9: Waiting
d92dcd533b57: Waiting
3a7c21493639: Waiting
50cf76112433: Waiting
c5f0bcebca98: Waiting
72b74681051b: Waiting
6a3894d8edd4: Waiting
36bf03acdc50: Waiting
366f5e2f7043: Waiting
1242903d2b23: Verifying Checksum
1242903d2b23: Download complete
6feb96d3e4f9: Verifying Checksum
6feb96d3e4f9: Download complete
36bf03acdc50: Download complete
366f5e2f7043: Verifying Checksum
366f5e2f7043: Download complete
07aded7c29c6: Verifying Checksum
07aded7c29c6: Download complete
2efba0da2be9: Verifying Checksum
2efba0da2be9: Download complete
50cf76112433: Verifying Checksum
50cf76112433: Download complete
3a7c21493639: Verifying Checksum
3a7c21493639: Download complete
c5f0bcebca98: Verifying Checksum
c5f0bcebca98: Download complete
6a3894d8edd4: Verifying Checksum
6a3894d8edd4: Download complete
72b74681051b: Verifying Checksum
72b74681051b: Download complete
07aded7c29c6: Pull complete
1242903d2b23: Pull complete
d92dcd533b57: Verifying Checksum
d92dcd533b57: Download complete
6feb96d3e4f9: Pull complete
36bf03acdc50: Pull complete
366f5e2f7043: Pull complete
2efba0da2be9: Pull complete
3a7c21493639: Pull complete
d92dcd533b57: Pull complete
50cf76112433: Pull complete
c5f0bcebca98: Pull complete
6a3894d8edd4: Pull complete
72b74681051b: Pull complete
Digest: sha256:4a9e431a82bb96676ba3ae38c24e2e49b38d5ada4925fa973622ee4ee6ad7dfa
Status: Downloaded newer image for bitbucketpipelines/aws-eks-kubectl-run:2.2.0
INFO: Configuring kubeconfig...
Added new context arn:aws:eks:us-east-1:<aws-account-id>:cluster/eks-cluster to /root/.kube/config
INFO: Successfully updated the kube config.
WARNING: "/" is not allowed in kubernetes labels. Slashes will be replaced by a dash "-" in the "bitbucket.org/bitbucket_commit" label value.For more information you can check the official kubernetes docshttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
Traceback (most recent call last):
File "/pipe.py", line 47, in <module>
pipe.run()
File "/root/.local/lib/python3.8/site-packages/kubectl_run/pipe.py", line 157, in run
self.handle_apply()
File "/root/.local/lib/python3.8/site-packages/kubectl_run/pipe.py", line 114, in handle_apply
self.update_labels_in_metadata(template_file, labels)
File "/root/.local/lib/python3.8/site-packages/kubectl_run/pipe.py", line 39, in update_labels_in_metadata
with open(template, 'w') as template_file:
PermissionError: [Errno 13] Permission denied: './deploy/cronjob.yaml'
Searching for files matching artifact pattern .bitbucket/pipelines/generated/pipeline/pipes/**

Searching for test report files in directories named [test-results, failsafe-reports, test-reports, TestResults, surefire-reports] down to a depth of 4
Finished scanning for test reports. Found 0 test report files.
Merged test suites, total number tests is 0, with 0 failures and 0 errors.

 

Repro steps:

- Artifacts with some k8s manifest and customization file

script:
- pipe: atlassian/aws-eks-kubectl-run:2.2.0
   variables:
      CLUSTER_NAME: "eks-cluster"
      KUBECTL_COMMAND: "apply"
      KUBECTL_APPLY_ARGS: "-k"
      RESOURCE_PATH: "./deploy"
      WITH_DEFAULT_LABELS: "true"

1 answer

1 accepted

0 votes
Answer accepted
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 15, 2021

Hello @Anton Patronov ,

Welcome to the Atlassian Community!

From the pipeline logs you've shared with us, I see that the deploy folder is an artifact, and looks like the artifacts default permissions ( -rw-r--r-- ) is not enough for your use case.

That being said could you please trying to add the following command in the same step as your pipe, right before the pipe is executed ?

chmod -R 777 <path to the folder>

This will set full permissions for the files within the provided folder. Your YAML file would like like the following : 

script:
- chmod -R 777 <path to the folder>

- pipe: atlassian/aws-eks-kubectl-run:2.2.0
   variables:
      CLUSTER_NAME: "eks-cluster"
      KUBECTL_COMMAND: "apply"
      KUBECTL_APPLY_ARGS: "-k"
      RESOURCE_PATH: "./deploy"
      WITH_DEFAULT_LABELS: "true"

Let me know if that works for you and if you have any other questions, we'll be glad to help :)

Thanks @Anton Patronov !

Kind regards,

Patrik S

Anton Patronov December 15, 2021

Yes, that is what I've done. But I thought that this pipe should work as root. Seems like it doesn't.

Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 15, 2021

Hello @Anton Patronov  ,

Great to know that using chmod to set the permissions did work.

Just to give you a background, artifacts are downloaded by root user and have their default permission as -rw-r--r-- , but Pipe itself is run by non root user. The non root user running Pipe didn't have the enough privileges to run the commands of your use case and thus you were getting the error.

Do let us know if you have any questions.

Thanks, @Anton Patronov !

Kind regards,

Patrik S

Anton Patronov December 15, 2021

but Pipe itself is run by non root user.

That's what I thought. Maybe this behavior should be described somewhere in the documentation. Because I run the pipeline on the cloud agents and use the default docker image provided by Atlassian and I don't do any changes with the file permissions during the previous steps and I expected that this pipe should work out of the box in my case...

Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 15, 2021

Hello @Anton Patronov ,

I understand your point and will make sure the suggestion to include these details on our public documentation is shared internally with the concerned teams :)

Kind regards,

Patrik S

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events