Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade from v.0.19.2 to v.0.19.4 breaks #2322

Closed
awhitepl opened this issue Jun 14, 2022 · 10 comments · Fixed by #2334
Closed

Upgrade from v.0.19.2 to v.0.19.4 breaks #2322

awhitepl opened this issue Jun 14, 2022 · 10 comments · Fixed by #2334
Labels
bug Something isn't working

Comments

@awhitepl
Copy link

Overview of the Issue

Upgrading to this version critically fails for me. I don't think that we are doing anything bad with the atlantis image we just install some extras like terragrunt and a couple other helper programs. Maintaining at version v.0.19.2 continue to work for me.

Reproduction Steps

Build an image with Gitops, send it to live in k8 cluster in each env. Image gets pulled and fails with backoff with the following error messages.

Logs

│ docker-entrypoint.sh: detected /atlantis-data wrong filesystem permissions                                               │
│ currently owned by root:atlantis, changing to atlantis:atlantis...                                                       │
│ chown: /atlantis-data/lost+found: Operation not permitted                                                                │
│ chown: /atlantis-data/lost+found: Operation not permitted                                                                │
│ chown: /atlantis-data: Operation not permitted                                                                           │
│ chown: /atlantis-data: Operation not permitted       
@awhitepl awhitepl added the bug Something isn't working label Jun 14, 2022
@awhitepl awhitepl changed the title Upgrade from v.0.19.2 to v.0.19.2 breaks Upgrade from v.0.19.2 to v.0.19.4 breaks Jun 14, 2022
@michelmzs
Copy link
Contributor

michelmzs commented Jun 14, 2022

docker-entrypoint.sh: detected /atlantis-data wrong filesystem permissions

Can you share your Dockerfile? There is no related issues with the default image.

@bdashrad
Copy link

We are seeing the same issue, upgrading from 0.19.2 to 0.19.4. This is our Dockerfile we're using to add gcloud.

FROM ghcr.io/runatlantis/atlantis:v0.19.4

RUN apk --no-cache --update add \
    python3 \
    py-pip \
  && pip install --upgrade pip \
  && apk add --virtual build-deps \
    gcc \
    libffi-dev \
    python3-dev \
    linux-headers \
    musl-dev \
    openssl-dev \
  && pip install gsutil \
  && apk del build-deps \
  && rm -rf /var/cache/apk/*

@bdashrad
Copy link

Looks like my issue is resolved by removing the securityContext set in the older values.yaml and using the current (4.0.x) chart. runatlantis/helm-charts#21

@ysoldak
Copy link
Contributor

ysoldak commented Jun 21, 2022

We deploy with helm chart to GKE (1.22) on GCP and experience the same.

The persistent volume for "/atlantis-data" mounts as "root:bin" and changing mount point ownership is not permitted.
The most we can have is root:atlantis by setting fsGroup:1000 in securityContext

This is PR that break it for us: #1326
We are going to use fsGroup: 1000 and either hack and disable chown block in docker-entrypoint.sh or stay on v0.19.3

Atlantis shall use fsGroupChangePolicy: "OnRootMismatch" instead of script in docker-entrypoint.sh.
fsGroupChangePolicy is stable in K8S 1.23

@jamengual
Copy link
Contributor

Correct me if I'm wrong :
we should use fsGroupChangePolicy since now is stable but it was not when that PR was implemented ( but I merged it no long ago ) and we will have to ever the entry-point changes , correct?

ysoldak added a commit to ysoldak/atlantis that referenced this issue Jun 22, 2022
Fixes runatlantis#2322 
See another PR (in helm-charts repo) that enables use of fsGroupChangePolicy instead.
@ysoldak
Copy link
Contributor

ysoldak commented Jun 22, 2022

Yes, correct, @jamengual
See my PRs to this repo and helm-charts.

@ysoldak
Copy link
Contributor

ysoldak commented Jun 22, 2022

[Temporary] hack for docker-entry point.sh is to build your own image based on atlantis and use it in helm:

FROM ghcr.io/runatlantis/atlantis:v0.19.4
RUN sed -i.bak "s,/atlantis-data,/disabled," /usr/local/bin/docker-entrypoint.sh

jamengual pushed a commit that referenced this issue Jun 22, 2022
Fixes #2322 
See another PR (in helm-charts repo) that enables use of fsGroupChangePolicy instead.
@jamengual
Copy link
Contributor

I'm tempted to create a new release just to get rid of this issue but we can't really do it right now, I can create a pre-release , but I have not looked if the image URL can be changed in the values.

@ysoldak
Copy link
Contributor

ysoldak commented Jun 22, 2022

In helm chart you mean? Yes, we can set the tag there, here
https://github.com/runatlantis/helm-charts/blob/main/charts/atlantis/values.yaml#L103

@jamengual
Copy link
Contributor

jamengual commented Oct 11, 2022 via email

krrrr38 pushed a commit to krrrr38/atlantis that referenced this issue Dec 16, 2022
Fixes runatlantis#2322 
See another PR (in helm-charts repo) that enables use of fsGroupChangePolicy instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants