Skip to content

FF_DISABLE_UMASK_FOR_KUBERNETES_EXECUTOR doesn't disable the umask

Summary

The documentation describes three functions enabled by this flag:

  1. removes the umask 0000 call for jobs executed with the Kubernetes executor => not working at all

  2. tries to discover the user ID (UID) and group ID (GID) of the user the build container runs as => working fine

  3. changes the ownership of the working directory and files => only working when I set shell = "bash" in the runners config.toml

Steps to reproduce

For 1:

The test which is shown in the MR which introduced the flag does already show the problem: !4842 (merged)

The extract of the job log shows all folders world writable. Same with the last reply at the end: !4842 (comment 2020544743)

In this job logs all files are world writable again

For 3:

config.toml which does not chown any file:

    [[runners]]
      pre_get_sources_script = "git config --system --add safe.directory $CI_PROJECT_DIR"
      post_get_sources_script = "git config --local --add safe.directory $CI_PROJECT_DIR"
      executor = "kubernetes"
      [runners.feature_flags]
        FF_DISABLE_UMASK_FOR_KUBERNETES_EXECUTOR = true
      [runners.kubernetes]
        namespace = "{{.Release.Namespace}}"
        image = "ubuntu:16.04"

config.toml which works fine for number 3:

    [[runners]]
      pre_get_sources_script = "git config --system --add safe.directory $CI_PROJECT_DIR"
      post_get_sources_script = "git config --local --add safe.directory $CI_PROJECT_DIR"
      executor = "kubernetes"
      shell = "bash"
      [runners.feature_flags]
        FF_DISABLE_UMASK_FOR_KUBERNETES_EXECUTOR = true
      [runners.kubernetes]
        namespace = "{{.Release.Namespace}}"
        image = "ubuntu:16.04"
.gitlab-ci.yml 
stages:
  - test

test:
  stage: test
  
  script:
    - ls -lR /builds
    - |
      for i in $(seq 1 120); do
        printf .
        sleep 0.02
      done

Actual behavior

  • If I don't manually remove the umask 0000 from the helper image, all files and folders are shown with world writable permissions
  • If I manually remove the umask 0000 from the helper image and dont explicitly set shell = "bash"`, the build fails with the following error message:
/scripts-2-27681/step_script: line 68: /builds/******/******.tmp/CI_SERVER_TLS_CA_FILE: Permission denied
  • If I manually remove the umask 0000 from the helper image and do explicitly set shell = "bash", I see the files non world-writable and owned by uid 1000

Expected behavior

  • Files should be owned by uid 1000 and non world-writable with the default helper image

Environment description

We are using self hosted gitlab-runner running on kubernetes

Used GitLab Runner version