Docker Runner Fails With Permission Denied Errors in Build Log

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community


Summary

Docker runner fails on Fedora/CentOS/RHEL with SELinux in enforcing mode. Bamboo build fails with a permission denied error in logs because directories mounted from a host to a container are not accessible even for a root container user.

Environment

The issue can be reproduced with any Bamboo version on Fedora/CentOS/RHEL with SELinux running in enforcing mode.

Diagnosis

Build in Docker fails, and you will see the following errors in the job build log:

/tmp/runInDocker8004722310245392322.sh: /home/bamboo/bamboo-agent-home/temp/IPT-BPTD-JOB1-23-ScriptBuildTask-2477866816195297390.sh: Permission denied

In this particular example, a mounted script with script task syntax cannot be accessed. There can be similar issues with accessing source code in a working directory mounted into a Docker container, for example:

/tmp/runInDocker2036597224817806522.sh: 2: cd: can't cd to /home/bamboo/bamboo-agent-home/xml-data/build-dir/TEST-TES4-JOB1

Cause

By default, Docker container processes run with the system_u:system_r:svirt_lxc_net_t:s0 label. The svirt_lxc_net_t type is allowed to read/execute most content under /usr, but it is not allowed to use most other types on the system. As a result, when Bamboo starts a build container and mounts temp and working directories, everything in these directories is not accessible for a user (even if it's root) in the container. This results in exec failures, since mounted files cannot be accessed and thus job tasks cannot be executed.

Solution

There are 4 solutions, ranging from the easiest and less secure to a bit more complicated and secure

Turn off SELinux

Of course, this can be a no-go due to security reasons, however, if turning SELinux off is an option, you can do so, and this will fix the issue.

Run container in a privileged mode

This is possible only in 7.1+ versions with the introduction of extra Docker run arguments. Running containers in a privileged mode can also open security risks, so, do it with caution:

Manually add a label to host directory

Attach a proper SELinux policy type label to Bamboo home (xml data or temp, or the entire Bamboo home directory)

chcon -Rt svirt_sandbox_file_t /home/bamboo/bamboo-agent-home/xml-data
chcon -Rt svirt_sandbox_file_t /home/bamboo/bamboo-agent-home/temp

Add :z suffix to volume mount binding

You can also let Docker do the labeling for you by appending :z suffix to a volume mount binding (container directory) in Bamboo UI (Docker configuration for a job).




Last modified on Dec 1, 2020

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.