[BUG]: VMSS agents go offline due to lack of adequate permissions for AzDevOps user for agent directory. #5082
Description
What happened?
Like I reported in this issue, VMSS agents go offline due to lack of adequate permissions not granted to the AzDevOps user created by the VMSS extension and used to interact with Azure DevOps.
To be specific, permissions are missing to let AzDevOps user properly use the agent directory.
This can be seen by running ./run.sh --diagnostics command (I wish I discovered it before). This is the output:
adminuser@vmss-agents-142:/agent$ ./run.sh --diagnostics
Unhandled exception. System.UnauthorizedAccessException: Access to the path '/agent/_diag/Agent_20240604-105127-utc.log' is denied.
---> System.IO.IOException: Permission denied
--- End of inner exception stack trace ---
at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirectory, Func`2 errorRewriter)
at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode)
at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)
at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)
at Microsoft.VisualStudio.Services.Agent.HostTraceListener.CreatePageLogWriter() in /mnt/vss/_work/1/s/src/Microsoft.VisualStudio.Services.Agent/HostTraceListener.cs:line 178
at Microsoft.VisualStudio.Services.Agent.HostTraceListener..ctor(String logFileDirectory, String logFilePrefix, Int32 pageSizeLimit, Int32 retentionDays) in /mnt/vss/_work/1/s/src/Microsoft.VisualStudio.Services.Agent/HostTraceListener.cs:line 50
at Microsoft.VisualStudio.Services.Agent.HostContext..ctor(HostType hostType, String logFile) in /mnt/vss/_work/1/s/src/Microsoft.VisualStudio.Services.Agent/HostContext.cs:line 135
at Microsoft.VisualStudio.Services.Agent.Listener.Program.Main(String[] args) in /mnt/vss/_work/1/s/src/Agent.Listener/Program.cs:line 28
./run.sh: line 68: 3425 Aborted (core dumped) "$DIR"/bin/Agent.Listener run $*
Once I solved the permissions for agent/_diag folder, similar problems happened for other folders.
So, to solve the problem, I executed the sudo chmod -R a+rwx agent command (be careful: it assigns read/write/execute permissions to ALL users recursively) and the agent finally worked properly.
I guess we need a more proper solution, but AzDevOps needs proper access to agent directory and its subfolders.
Versions
VMSS extension 1.23 using agent 3.239.1 / Ubuntu Server 22.04
Environment type (Please select at least one enviroment where you face this issue)
- Self-Hosted
- Microsoft Hosted
- VMSS Pool
- Container
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
No response
Version controll system
No response