Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/tmp/buildkite-agent-hook-wrapper permission problems #2916

Closed
flokli opened this issue Aug 1, 2024 · 1 comment · Fixed by #2925
Closed

/tmp/buildkite-agent-hook-wrapper permission problems #2916

flokli opened this issue Aug 1, 2024 · 1 comment · Fixed by #2925

Comments

@flokli
Copy link

flokli commented Aug 1, 2024

Is your feature request related to a problem? Please describe.
I bumped buildkite-agent from 3.59.0 to 3.76.1, and suddenly jobs started failing with the following error message:

🚨 Error: Error creating hook script: failed to create temporary file "hook-before-env": open /tmp/buildkite-agent-hook-wrapper/hook-before-env678448514: permission denied
^^^ +++
🚨 Error: Error setting up job executor: failed to create temporary file "hook-before-env": open /tmp/buildkite-agent-hook-wrapper/hook-before-env678448514: permission denied
^^^ +++

Upon further inspection, the issue is due to /tmp/buildkite-agent-hook-wrapper being owned by the wrong user.

We have multiple buildkite-agent instances running on this host, each as its own linux user. So the first one started up and ceated /tmp/buildkite-agent-hook-wrapper as its user, and then the next step run by another agent fails to write its hook in there.

Looking in the history a bit, this might have been a regression introduced by a798bab, essentially not using a unique tempdir for each invocation anymore.

Describe the solution you'd like
Use os.MkdirTemp to create a temporary dir, and drop the hooks in there, which shouldn't conflict with each other.

Describe alternatives you've considered
For now, we resorted to giving each buildkite-agent systemd service its own private /tmp, by setting PrivateTmp=yes in the systemd unit, though this might not work for everyone.
flokli referenced this issue Aug 1, 2024
@triarius
Generate name of hook wrapper in WriteHookWrapper method
a798bab 
Also begins the process of consistent naming of the hook wrapper,
instead of scriptwrapper, which is a bit confusing.
@flokli flokli mentioned this issue Aug 1, 2024
Merged
13 tasks
flokli added a commit to flokli/nixpkgs that referenced this issue Aug 2, 2024
@flokli
nixos/buildkite-agent: put each agent in its own private /tmp
ae6e20e 
Workaround for buildkite/agent#2916, but
probably still a good idea.
zimbatm pushed a commit to NixOS/nixpkgs that referenced this issue Aug 2, 2024
@flokli
buildkite-agent: 3.59.0 -> 3.76.1 (#331340)
1295582 
* buildkite-agent: 3.59.0 -> 3.76.1

* nixos/buildkite-agent: put each agent in its own private /tmp

Workaround for buildkite/agent#2916, but
probably still a good idea.
gador pushed a commit to gador/nixpkgs that referenced this issue Aug 4, 2024
@flokli @gador
buildkite-agent: 3.59.0 -> 3.76.1 (NixOS#331340)
2d8dd6c 
* buildkite-agent: 3.59.0 -> 3.76.1

* nixos/buildkite-agent: put each agent in its own private /tmp

Workaround for buildkite/agent#2916, but
probably still a good idea.
@DrJosh9000
Copy link
Contributor

This is a great report! Thanks for taking the time to dig into the problem.

@DrJosh9000 DrJosh9000 mentioned this issue Aug 7, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Write hooks into new tempdir buildkite/agent
2 participants
@flokli @DrJosh9000