Set `umask 0000` before executing scripts for k8s executor
What does this MR do?
For kubernetes executor, run umask 0000 before running any scripts so the build folders are created with proper permissions that allow a non-privileged user to write to.
Why was this MR needed?
This is to fix https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/issues/2570
When the runner image is set to use a non-privileged user, kubernetes executor reports permission denied while trying to dump variables such as CI_SERVER_TLS_KEY_FILE to $BUILDS_DIR/${PROJECT}.tmp folder.
Are there points in the code the reviewer needs to double check?
There's already a MR that fixes the issue but I feel changing the permission of files for all executors is a broad change. This MR fixes the issue by only changing what's affected.
Does this MR meet the acceptance criteria?
-
Documentation created/updated - Tests
-
Added for this feature/bug -
All builds are passing
-
-
Branch has no merge conflicts with master(if you do - rebase it please)
What are the relevant issue numbers?
Closes #2570 (closed)
Merge request reports
Activity
We do this with the docker executor, and it's a frequent source of complaints and security issues.
I'd rather we found an alternative approach here, such as allowing the user to specify chmod+chown parameters for the setup, or magically autodetecting the requirements of the image somehow.
Edited by Nick Thomas@nick.thomas Sure I agree a more holistic approach is needed. But as it stands, we cannot use kubernetes executor with non-privileged user without this fix. Is it possible to have this workaround merged and look for a more appropriate fix later?
Let me know if there's anything I can help in any way.
@ayufan @tmaczukin Please review.
Hello @hierarchicalpolymorphist, thank you for you MR.
This issue has already been addressed in https://gitlab.com/gitlab-org/gitlab-runner/merge_requests/655 so I'm closing this MR.
