Commit d71725b
committed
fix(Jenkinsfile): set pod fsGroup so nova-ci can write workspace@tmp
Build #31 reached Code checkout cleanly (shallow clone worked) but the
first sh step in nova-ci failed with:
process apparently never started in
/home/jenkins/agent/workspace/nova-cicd@tmp/durable-cf27346a
script returned exit code -2
jnlp (image-default jenkins user, typically uid 1000) created the
workspace before nova-ci started; durable-task in nova-ci then runs as
the NIS uid and tries to mkdir workspace@tmp/durable-<id>/, which is
denied because the parent dir is owned by uid 1000:1000 and not
group-writable.
Set pod securityContext.fsGroup = RUN_AS_GID. Kubernetes recursively
chowns / sets g+rwxs on emptyDir volumes for the fsGroup and adds it as
a supplementary group to every container in the pod, so:
- jnlp keeps writing as its image-default user (now also fsGroup),
- nova-ci's NIS uid (whose primary gid IS fsGroup) can mkdir/write
inside the shared workspace.
runAsUser/runAsGroup stay on the nova-ci container; only fsGroup is set
at pod scope, so PodTemplateUtils.combine() has nothing to merge into
pod securityContext and won't drop fsGroup (the regression seen on
claude-broke-it when runAs was also at pod scope).
Signed-off-by: Edwin Peer <epeer@nvidia.com>1 parent ba0741d commit d71725b
1 file changed
Lines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
31 | 31 | | |
32 | 32 | | |
33 | 33 | | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
34 | 40 | | |
35 | 41 | | |
36 | 42 | | |
| |||
76 | 82 | | |
77 | 83 | | |
78 | 84 | | |
| 85 | + | |
| 86 | + | |
79 | 87 | | |
80 | 88 | | |
81 | 89 | | |
| |||
0 commit comments