Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gitlab permissions are too open for source checkout #2

Open
jovial opened this issue Feb 11, 2021 · 3 comments
Open

Gitlab permissions are too open for source checkout #2

jovial opened this issue Feb 11, 2021 · 3 comments

Comments

@jovial
Copy link
Collaborator

jovial commented Feb 11, 2021 

[WARNING]: Ansible is being run in a world writable directory
392(/builds/crc4/um6p/infrastructure/um6p-kayobe-config), ignoring it as an
393ansible.cfg source. For more information see
394https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-
395world-writable-dir

Options:

  • Copy it else where and change permissions
  • Change permissions in place
  • Get gitlab to checkout with different permissions (nothing immediately obvious in the docs)
  • set umask in image to something more restrictive?
@jovial
Copy link
Collaborator Author

jovial commented Feb 11, 2021

Looks like it uses a volume, docker inspect output:

        "Mounts": [
            {
                "Type": "volume",
                "Name": "runner-bkqvjp4m-project-21118777-concurrent-0-cache-c33bcaa1fd2c77edfc3893b41966cea8",
                "Source": "/var/lib/docker/volumes/runner-bkqvjp4m-project-21118777-concurrent-0-cache-c33bcaa1fd2c77edfc3893b41966cea8/_data",
                "Destination": "/builds",
                "Driver": "local",
                "Mode": "z",
                "RW": true,
                "Propagation": ""
            },

@jovial
Copy link
Collaborator Author

jovial commented Feb 11, 2021
edited
Loading

Directory is owned by root:

[stack@runner-bkqvjp4m-project-21118777-concurrent-0 um6p-kayobe-config]$ stat .
  File: .
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd03h/64771d    Inode: 198967306   Links: 7
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-02-11 14:22:20.024386985 +0000
Modify: 2021-02-11 14:22:12.590730648 +0000
Change: 2021-02-11 14:22:12.590730648 +0000
 Birth: -

Possibly cloned by:

[root@seed gitlab-runner]# docker images | grep 8bd102e974ab
gitlab/gitlab-runner-helper                                       x86_64-943fc252                            8bd102e974ab        47 hours ago        66.8MB

So may not be possible to set permissions?

@jovial
Copy link
Collaborator Author

jovial commented Feb 15, 2021

Turns out there is a feature flag for this (only recently added): https://gitlab.com/gitlab-org/gitlab-runner/-/blob/d1ad54103350cacf52f2e1134edbfb836914dc83/docs/configuration/feature-flags.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jovial