Skip to content

FF_USE_FASTZIP=1 restores root artifact folder with 755 instead of 777

Summary

Steps to reproduce

  1. activate Feature Flag FF_USE_FASTZIP=1 for a kubernetes gitlab runner (13.7.0)
  2. use an image where the user differs from root
  3. in Job A:
    1. generate a folder called artifacts: $ mkdir artifacts
    2. run $ echo "Hello World" > artifacts/important.log
  4. in Job B, that receives the artifacts of Job A:
    1. run $ echo "Hello World" > artifacts/no_permissions.log

One can use this gitlab-ci.yml to reproduce the issue

.gitlab-ci.yml 
image: python:3.8
variables:
  FF_USE_FASTZIP: 1

stages:
  - A
  - B

job a:
  stage: A
  script:
    - adduser --disabled-password --gecos '' newuser
    - su newuser -c 'mkdir artifacts'
    - su newuser -c 'echo "Hello World A" > artifacts/important_a.log'
    - ls -lah artifacts
  artifacts:
    paths:
      - artifacts/*
    expire_in: 1 days

job b:
  stage: A
  script:
    - adduser --disabled-password --gecos '' newuser
    - su newuser -c 'mkdir artifacts'
    - su newuser -c 'echo "Hello World" > artifacts/important_b.log'
  artifacts:
    paths:
      - artifacts/*
    expire_in: 1 days

job c:
  stage: B
  needs:
    - job: job a
    - job: job b
  script:
    - adduser --disabled-password --gecos '' newuser
    - ls -lah
    - ls -lah artifacts
    - su newuser -c 'echo "Hello World" > artifacts/no_permissions.log'
    - ls -lah artifacts

Actual behavior

Log of Job C

Running with gitlab-runner 13.7.0 (943fc252)
  on default-runner-gitlab-runner-7b86c5cffd-cdw4d Z_t5Vdd_
Resolving secrets
00:00
Preparing the "kubernetes" executor
00:00
Using Kubernetes namespace: gitlab-runner
WARNING: Pulling GitLab Runner helper image from Docker Hub. Helper image is migrating to registry.gitlab.com, for more information see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#migrating-helper-image-to-registrygitlabcom
Using Kubernetes executor with image python:3.8 ...
Preparing environment
00:06
Waiting for pod gitlab-runner/runner-zt5vdd-project-1644-concurrent-09fg27 to be running, status is Pending
Waiting for pod gitlab-runner/runner-zt5vdd-project-1644-concurrent-09fg27 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Running on runner-zt5vdd-project-1644-concurrent-09fg27 via default-runner-gitlab-runner-7b86c5cffd-cdw4d...
Getting source from Git repository
00:01
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/ci-cd/testing/multiple-parallel-ci-jobs/.git/
Created fresh repository.
Checking out 951a1668 as test_bug...
Skipping Git submodules setup
Downloading artifacts
00:00
Downloading artifacts for job a (110318)...
Downloading artifacts from coordinator... ok        id=110318 responseStatus=200 OK token=T7kzMT5W
Downloading artifacts for job b (110319)...
Downloading artifacts from coordinator... ok        id=110319 responseStatus=200 OK token=Y5qPSbyN
Executing "step_script" stage of the job script
00:01
$ adduser --disabled-password --gecos '' newuser
Adding user `newuser' ...
Adding new group `newuser' (1000) ...
Adding new user `newuser' (1000) with group `newuser' ...
Creating home directory `/home/newuser' ...
Copying files from `/etc/skel' ...
$ ls -lah
total 8.0K
drwxrwxrwx. 5 root root  89 Jan  5 12:51 .
drwxrwxrwx. 4 root root  76 Jan  5 12:51 ..
drwxrwxrwx. 6 root root 113 Jan  5 12:51 .git
drwxrwxrwx. 2 root root  32 Jan  5 12:51 .gitlab
-rw-rw-rw-. 1 root root 907 Jan  5 12:51 .gitlab-ci.yml
-rw-rw-rw-. 1 root root  29 Jan  5 12:51 README.md
drwxr-xr-x. 2 root root  52 Jan  5 12:51 artifacts
$ ls -lah artifacts
total 8.0K
drwxr-xr-x. 2 root    root    52 Jan  5 12:51 .
drwxrwxrwx. 5 root    root    89 Jan  5 12:51 ..
-rw-r--r--. 1 newuser newuser 14 Jan  5 12:50 important_a.log
-rw-r--r--. 1 newuser newuser 12 Jan  5 12:50 important_b.log
$ su newuser -c 'echo "Hello World" > artifacts/no_permissions.log'
bash: artifacts/no_permissions.log: Permission denied
Cleaning up file based variables
00:00
ERROR: Job failed: command terminated with exit code 1

Expected behavior

Running with gitlab-runner 13.7.0 (943fc252)
  on default-runner-gitlab-runner-7b86c5cffd-cdw4d Z_t5Vdd_
Resolving secrets
00:00
Preparing the "kubernetes" executor
00:00
Using Kubernetes namespace: gitlab-runner
WARNING: Pulling GitLab Runner helper image from Docker Hub. Helper image is migrating to registry.gitlab.com, for more information see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#migrating-helper-image-to-registrygitlabcom
Using Kubernetes executor with image python:3.8 ...
Preparing environment
00:06
Waiting for pod gitlab-runner/runner-zt5vdd-project-1644-concurrent-1fdwnn to be running, status is Pending
Waiting for pod gitlab-runner/runner-zt5vdd-project-1644-concurrent-1fdwnn to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Running on runner-zt5vdd-project-1644-concurrent-1fdwnn via default-runner-gitlab-runner-7b86c5cffd-cdw4d...
Getting source from Git repository
00:01
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/ci-cd/testing/multiple-parallel-ci-jobs/.git/
Created fresh repository.
Checking out d82acb84 as test_bug...
Skipping Git submodules setup
Downloading artifacts
00:00
Downloading artifacts for job a (110315)...
Downloading artifacts from coordinator... ok        id=110315 responseStatus=200 OK token=MDQ2YafH
Downloading artifacts for job b (110316)...
Downloading artifacts from coordinator... ok        id=110316 responseStatus=200 OK token=9s2oDJ3u
Executing "step_script" stage of the job script
00:01
$ adduser --disabled-password --gecos '' newuser
Adding user `newuser' ...
Adding new group `newuser' (1000) ...
Adding new user `newuser' (1000) with group `newuser' ...
Creating home directory `/home/newuser' ...
Copying files from `/etc/skel' ...
$ ls -lah
total 8.0K
drwxrwxrwx. 5 root root  89 Jan  5 12:51 .
drwxrwxrwx. 4 root root  76 Jan  5 12:50 ..
drwxrwxrwx. 6 root root 113 Jan  5 12:51 .git
drwxrwxrwx. 2 root root  32 Jan  5 12:51 .gitlab
-rw-rw-rw-. 1 root root 907 Jan  5 12:51 .gitlab-ci.yml
-rw-rw-rw-. 1 root root  29 Jan  5 12:51 README.md
drwxrwxrwx. 2 root root  52 Jan  5 12:51 artifacts
$ ls -lah artifacts
total 8.0K
drwxrwxrwx. 2 root    root    52 Jan  5 12:51 .
drwxrwxrwx. 5 root    root    89 Jan  5 12:51 ..
-rw-r--r--. 1 newuser newuser 14 Jan  5 12:50 important_a.log
-rw-r--r--. 1 newuser newuser 12 Jan  5 12:50 important_b.log
$ su newuser -c 'echo "Hello World" > artifacts/no_permissions.log'
$ ls -lah artifacts
total 12K
drwxrwxrwx. 2 root    root    78 Jan  5 12:51 .
drwxrwxrwx. 5 root    root    89 Jan  5 12:51 ..
-rw-r--r--. 1 newuser newuser 14 Jan  5 12:50 important_a.log
-rw-r--r--. 1 newuser newuser 12 Jan  5 12:50 important_b.log
-rw-r--r--. 1 newuser newuser 12 Jan  5 12:51 no_permissions.log
Cleaning up file based variables
00:00
Job succeeded

Relevant logs and/or screenshots

Permissions of artifacts folder:

FF_USE_FASTZIP: 0
drwxrwxrwx. 2 root root  52 Jan  5 12:51 artifacts

FF_USE_FASTZIP: 1
drwxr-xr-x. 2 root root  52 Jan  5 12:51 artifacts
Add the job log

Environment description

config.toml contents 
Add your configuration here

Used GitLab Runner version

Version:      13.7.0
Git revision: 943fc252
Git branch:   13-7-stable
GO version:   go1.13.8
Built:        2020-12-21T13:47:16+0000
OS/Arch:      linux/amd64

Possible fixes

Don't activate FF_USE_FASTZIP if working with another user then root.

Edited by Alexander Petermann