search

Azure / Azure-Functions

1.11k stars 195 forks source link

Unable to set "Execute" permissions on files in Azure Function #2537

Open gmantri opened 3 weeks ago

gmantri commented 3 weeks ago

I have an Azure Function that is running in Linux (Consumption plan). I have also enabled SCM_DO_BUILD_DURING_DEPLOYMENT by setting its value to true in my environment variables. The Function app has a dependency on Playwright where it needs to run Chrome browser to do some work. I am deploying the code using Github Actions. Everything works great as far as deployment is concerned however when I run my Function code to invoke Chrome, I am getting EACCES error.

Here's my error stack trace:

browserType.launch: Failed to launch: Error: spawn /home/site/wwwroot/node_modules/playwright-core/.local-browsers/chromium-1129/chrome-linux/chrome EACCES
Call log:
  [2m- <launching> /home/site/wwwroot/node_modules/playwright-core/.local-browsers/chromium-1129/chrome-linux/chrome --disable-field-trial-config --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=ImprovedCookieControls,LazyFrameLoading,GlobalMediaControls,DestroyProfileOnBrowserClose,MediaRouter,DialMediaRouteProvider,AcceptCHFrame,AutoExpandDetailsElement,CertificateTransparencyComponentUpdater,AvoidUnnecessaryBeforeUnloadCheckSync,Translate,HttpsUpgrades,PaintHolding,PlzDedicatedWorker --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --headless=old --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --no-sandbox --disable-setuid-sandbox --user-data-dir=/tmp/playwright_chromiumdev_profile-XXXXXXZ5AVqE --remote-debugging-pipe --no-startup-window[22m
[2m  - [pid=N/A] starting temporary directories cleanup[22m
[2m  - [pid=N/A] finished temporary directories cleanup[22m

I know that this issue is related to the lack of Execute access. When I check the permissions on all files and folders inside my .local_browsers folder, I see that all folders have 755 permission however all files have 644 permission.

The issue I am running into is no matter what I do, I cannot change the permissions on the files from 644 to 755.

I have the following in my GitHub Action workflow file:

  deploy:
    runs-on: ubuntu-latest
    needs: build
    environment:
      name: 'Production'
      url: ${{ steps.fa.outputs.app-url }}
    permissions:
      id-token: write

    steps:
      - name: Download artifact from build job
        uses: actions/download-artifact@v4
        with:
          name: node-app

      - name: Unzip artifact for deployment
        run: unzip release.zip -d .

      - name: Set Execute Permissions for Chromium
        run: |
          chmod -R 755 node_modules/playwright-core/.local-browsers/chromium-*/chrome-linux/chrome

      - name: 'Run Azure Functions Action'
        uses: Azure/functions-action@v1
        id: fa
        with:
          app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }}
          slot-name: ${{ env.AZURE_FUNCTIONAPP_SLOT_NAME }}
          package: .
          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_D22B9920848547EA85D3058628DD78B5 }}
          node-version: ${{ env.NODE_VERSION }}
          enable-oryx-build: true
          deployment-cmd: |
            chmod -R 755 node_modules/playwright-core/.local-browsers

This does not throw any error but it does not change the permission as well.

FWIW, here's my complete workflow:

name: Build and deploy code to Purple Leaf (Dev)

on:
  push:
    branches:
      - development
  workflow_dispatch:

env:
  AZURE_FUNCTIONAPP_PACKAGE_PATH: './src/functions'
  NODE_VERSION: '20.x'
  PLAYWRIGHT_BROWSERS_PATH: 0
  AZURE_FUNCTIONAPP_NAME: '<my function app name>'
  AZURE_FUNCTIONAPP_SLOT_NAME: 'Production'
  ACTIONS_STEP_DEBUG: true

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout GitHub Action'
        uses: actions/checkout@v4

      - name: Setup Node ${{ env.NODE_VERSION }} Environment
        uses: actions/setup-node@v3
        with:
          node-version: ${{ env.NODE_VERSION }}

      - name: Install Yarn
        run: npm install -g yarn

      - name: Install dependencies
        run: |
          echo "Installing dependencies..."
          yarn install --frozen-lockfile

      - name: Install Playwright Browsers
        run: |
          PLAYWRIGHT_BROWSERS_PATH=0 npx playwright install chromium --with-deps

      - name: Verify Browser Installation
        run: |
          if [ -d "node_modules/playwright-core/.local-browsers" ]; then
            echo "Playwright browsers installed successfully."
            ls -R node_modules/playwright-core/.local-browsers
          else
            echo "Playwright browser installation failed!" >&2
            exit 1
          fi

      - name: Build function project
        run: yarn build

      - name: Prepare files for deployment
        run: |
          mkdir deploy
          cp -r node_modules deploy/
          mkdir -p deploy/dist
          cp -r dist/* deploy/dist/
          cp package.json deploy/
          cp ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}/host.json deploy/
          echo "Contents of deploy folder:"
          ls -R deploy

      - name: Zip artifact for deployment
        run: |
          cd deploy
          zip -r ../release.zip ./*

      - name: Upload artifact for deployment job
        uses: actions/upload-artifact@v4
        with:
          name: node-app
          path: release.zip

  deploy:
    runs-on: ubuntu-latest
    needs: build
    environment:
      name: 'Production'
      url: ${{ steps.fa.outputs.app-url }}
    permissions:
      id-token: write

    steps:
      - name: Download artifact from build job
        uses: actions/download-artifact@v4
        with:
          name: node-app

      - name: Unzip artifact for deployment
        run: unzip release.zip -d .

      - name: Set Execute Permissions for Chromium
        run: |
          chmod -R 755 node_modules/playwright-core/.local-browsers/chromium-*/chrome-linux/chrome

      - name: 'Run Azure Functions Action'
        uses: Azure/functions-action@v1
        id: fa
        with:
          app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }}
          slot-name: ${{ env.AZURE_FUNCTIONAPP_SLOT_NAME }}
          package: .
          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_D22B9920848547EA85D3058628DD78B5 }}
          node-version: ${{ env.NODE_VERSION }}
          enable-oryx-build: true
          deployment-cmd: |
            chmod -R 755 node_modules/playwright-core/.local-browsers

I even added a custom startup script and calling it as prestart script but still the permissions are not changed:

#!/bin/bash

# Define the path
LOCAL_BROWSERS_PATH="/home/site/wwwroot/node_modules/playwright-core/.local-browsers"

# Check if the directory exists
if [ -d "$LOCAL_BROWSERS_PATH" ]; then
    # If the file exists, change its permissions
    # chmod -R +x "$LOCAL_BROWSERS_PATH"
    find "$LOCAL_BROWSERS_PATH" -type d -exec chmod 755 {} \;
    find "$LOCAL_BROWSERS_PATH" -type f -exec chmod 755 {} \;
    echo "Permissions updated for $LOCAL_BROWSERS_PATH"
else
    # If the file doesn't exist, print a message and exit successfully
    echo "Chrome executable not found at $LOCAL_BROWSERS_PATH. Skipping permission change."
fi

I am at a complete loss of ideas here as to what I am doing wrong.

P.S. It is a cross-posting. I originally posted this on StackOverflow a few days ago. Posting it here because I did not get any response there. StackOverflow post can be found here: https://stackoverflow.com/questions/78909340/unable-to-set-execute-permissions-on-files-in-azure-function.

bhagyshricompany commented 2 weeks ago

Thanks for reporting will check and update.Thanks