Skip to content

fix: force runasuser for reduce-snapshot #1199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 18, 2025
Merged

fix: force runasuser for reduce-snapshot #1199

merged 1 commit into from
Jul 18, 2025
+76 −11

Conversation

scoheb
Copy link
Member

@scoheb scoheb commented Jul 11, 2025

Describe your changes

  • This is a workaround for a problem observed on a particular cluster where the use-trusted-artifacts step runs with root user causing a file or folder to not be readable in later steps. There might be solution coming related to the security context constraints on the cluster, but setting this explicitly here should probably be harmless either way.

Checklist before requesting a review

  • I have marked as draft or added do not merge label if there's a dependency PR
    • If you want reviews on your draft PR, you can add reviewers or add the release-service-maintainers handle if you are unsure who to tag
  • My commit message includes Signed-off-by: My name <email>
  • I read CONTRIBUTING.MD and commit formatting
  • I have run the README.md generator script in .github/scripts/readme_generator.sh and verified the results using .github/scripts/check_readme.sh

@scoheb scoheb requested a review from a team as a code owner July 11, 2025 14:38
johnbieren
johnbieren previously approved these changes Jul 11, 2025
View reviewed changes
@openshift-ci openshift-ci bot added the lgtm label Jul 11, 2025
@scoheb
Copy link
Member Author

scoheb commented Jul 11, 2025

before:

Single Component mode is true and Snapshot type is component
COMPONENT_COUNT: 1
tee: /var/workdir/release/2672fdf6-a311-48ff-9f7c-8ac2983e92a8/snapshot_spec.json: Permission denied
{
  "application": "rhel-10",
  "artifacts": {},
  "components": [
    {
      "containerImage": "quay.io/redhat-user-workloads/rhel-sst-cs-databases-tenant/rhel-10-gdbm@sha256:cdf5f24a9608b718a8274e849fd336410076144d409f408b05324976f632044d",
      "name": "rhel-10-gdbm",
      "source": {
        "git": {
          "revision": "318c1c2dabb2365a5f4fe23d37197d211985805a",
          "url": "https://gitlab.com/redhat/centos-stream/rpms/gdbm"
        }
      }
    }
  ]
}

after:

Single Component mode? true
SNAPSHOT_CREATION_TYPE: component
SNAPSHOT_CREATION_COMPONENT: rhel-10-gdbm
Single Component mode is true and Snapshot type is component
COMPONENT_COUNT: 1
{
  "application": "rhel-10",
  "artifacts": {},
  "components": [
    {
      "containerImage": "quay.io/redhat-user-workloads/rhel-sst-cs-databases-tenant/rhel-10-gdbm@sha256:cdf5f24a9608b718a8274e849fd336410076144d409f408b05324976f632044d",
      "name": "rhel-10-gdbm",
      "source": {
        "git": {
          "revision": "318c1c2dabb2365a5f4fe23d37197d211985805a",
          "url": "https://gitlab.com/redhat/centos-stream/rpms/gdbm"
        }
      }
    }
  ]
}

@scoheb scoheb force-pushed the fix-permission-denied-reduce-snapshot branch from 2861332 to 822c603 Compare July 11, 2025 15:47
@openshift-ci openshift-ci bot removed the lgtm label Jul 11, 2025
@scoheb scoheb force-pushed the fix-permission-denied-reduce-snapshot branch from 822c603 to 4bb4e38 Compare July 11, 2025 15:48
@scoheb scoheb enabled auto-merge (squash) July 11, 2025 16:10
@scoheb scoheb requested a review from johnbieren July 11, 2025 16:11
@scoheb scoheb force-pushed the fix-permission-denied-reduce-snapshot branch 2 times, most recently from 3228f22 to 542d1f9 Compare July 12, 2025 18:16
@scoheb
Copy link
Member Author

scoheb commented Jul 12, 2025

/retest

@scoheb scoheb force-pushed the fix-permission-denied-reduce-snapshot branch from 542d1f9 to 57ab659 Compare July 13, 2025 12:58
@scoheb
Copy link
Member Author

scoheb commented Jul 13, 2025

/retest

@scoheb scoheb force-pushed the fix-permission-denied-reduce-snapshot branch 2 times, most recently from f0b8777 to a320f4e Compare July 15, 2025 15:16
@scoheb
Copy link
Member Author

scoheb commented Jul 15, 2025

re-running 2 failed tests

@scoheb
Copy link
Member Author

scoheb commented Jul 15, 2025

/retest

1 similar comment
@scoheb
Copy link
Member Author

scoheb commented Jul 16, 2025

/retest

@scoheb scoheb force-pushed the fix-permission-denied-reduce-snapshot branch from a320f4e to 253613d Compare July 16, 2025 11:34
@scoheb scoheb force-pushed the fix-permission-denied-reduce-snapshot branch from 253613d to 685f48b Compare July 16, 2025 15:36
@scoheb scoheb requested a review from theflockers July 16, 2025 15:36
@scoheb scoheb force-pushed the fix-permission-denied-reduce-snapshot branch 2 times, most recently from f025987 to a0e3bbf Compare July 16, 2025 20:14
@scoheb
Copy link
Member Author

scoheb commented Jul 17, 2025

/retest

@openshift-ci openshift-ci bot added the lgtm label Jul 17, 2025
@theflockers
Copy link
Contributor

/retest

@scoheb scoheb force-pushed the fix-permission-denied-reduce-snapshot branch from a0e3bbf to 23b3496 Compare July 17, 2025 14:40
@openshift-ci openshift-ci bot removed the lgtm label Jul 17, 2025
@xiangge
Copy link
Contributor

xiangge commented Jul 18, 2025

Are we ok to merge this? It's blocking the pipeline.

@jinqi7
Copy link
Collaborator

jinqi7 commented Jul 18, 2025

/retest

seanconroy2021
seanconroy2021 approved these changes Jul 18, 2025
View reviewed changes
Copy link
Member

@seanconroy2021 seanconroy2021 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci openshift-ci bot added the lgtm label Jul 18, 2025
@scoheb scoheb force-pushed the fix-permission-denied-reduce-snapshot branch from 23b3496 to e346d24 Compare July 18, 2025 18:30
@openshift-ci openshift-ci bot removed the lgtm label Jul 18, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 18, 2025

New changes are detected. LGTM label has been removed.

@scoheb
fix: force runasuser for reduce-snapshot
5503228 
- This is a workaround for a problem observed on a particular cluster
  where the use-trusted-artifacts step runs with root user causing a
  file or folder to not be readable in later steps.
  There might be solution coming related to the
  security context constraints on the cluster, but setting this
  explicitly here should probably be harmless either way.
- Also add protection for skip-trusted-artifact-operations to
  better handle permission issues.

Signed-off-by: Scott Hebert <[email protected]>
@scoheb scoheb force-pushed the fix-permission-denied-reduce-snapshot branch from e346d24 to 5503228 Compare July 18, 2025 19:08
@scoheb scoheb merged commit 862a954 into konflux-ci:development Jul 18, 2025
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnbieren johnbieren johnbieren left review comments

@theflockers theflockers theflockers approved these changes

@jinqi7 jinqi7 jinqi7 approved these changes

@seanconroy2021 seanconroy2021 seanconroy2021 approved these changes

Assignees

@theflockers theflockers

@johnbieren johnbieren

@jinqi7 jinqi7

@seanconroy2021 seanconroy2021

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@scoheb @theflockers @xiangge @jinqi7 @johnbieren @seanconroy2021