search

devspace-sh / devspace

DevSpace - The Fastest Developer Tool for Kubernetes ⚡ Automate your deployment workflow with DevSpace and develop software directly inside Kubernetes.
https://devspace.sh
Apache License 2.0
4.31k stars 361 forks source link

Upstream - Retry upload because of error permission denied #2590

Closed unnsteinngardars closed 1 year ago

unnsteinngardars commented 1 year ago

What happened? I get the following error from the printLogs when I am trying to execute devspace dev with my devspace setup created by running devspace init and selecting helm.

Upstream - Retry upload because of error: upload archive: upload send: rpc error: code = Unknown desc = untar all: decompress: error creating /app/dapr: mkdir /app/dapr: permission denied

I have successfully deployed and worked on my application by deploying it via kubectl before but now I want to use helm.

What did you expect to happen instead? I don't know if this is expected and I am missing something to resolve it, but at least I would like to be able to have the sync working.. I need to somehow grant the sync process root access or something.

How can we reproduce the bug? (as minimally and precisely as possible) Use the following yaml file, the same Dockerfile if that really is necessary, init devspace using some helm chart, run devspace dev.

My devspace.yaml:

version: v2beta1
name: availableintegrationsgwgit

# This is a list of `pipelines` that DevSpace can execute (you can define your own)
pipelines:
  # This is the pipeline for the main command: `devspace dev` (or `devspace run-pipeline dev`)
  dev:
    run: |-
      run_dependencies --all       # 1. Deploy any projects this project needs (see "dependencies")
      create_deployments --all     # 2. Deploy Helm charts and manifests specfied as "deployments"
      start_dev app                # 3. Start dev mode "app" (see "dev" section)
  # You can run this pipeline via `devspace deploy` (or `devspace run-pipeline deploy`)
  deploy:
    run: |-
      run_dependencies --all                            # 1. Deploy any projects this project needs (see "dependencies")
      build_images --all -t $(git describe --always)    # 2. Build, tag (git commit hash) and push all images (see "images")
      create_deployments --all                          # 3. Deploy Helm charts and manifests specfied as "deployments"

# This is a list of `images` that DevSpace can build for this project
# We recommend to skip image building during development (devspace dev) as much as possible

images:
  app:
    image: ghcr.io/blikk-software/app-integrations:1.0.0
    dockerfile: ./Dockerfile

# This is a list of `deployments` that DevSpace can create for this project
deployments:
  app:
    # This deployment uses `helm` but you can also define `kubectl` deployments or kustomizations
    helm:
      # We are deploying this project with the Helm chart you provided
      chart:
        name: ./charts
      # Under `values` we can define the values for this Helm chart used during `helm install/upgrade`
      # You may also use `valuesFiles` to load values from files, e.g. valuesFiles: ["values.yaml"]
      values:
        ingress:
          enabled: true
          host: localhost
      displayOutput: true

# This is a list of `dev` containers that are based on the containers created by your deployments
dev:
  app:
    # Search for the container that runs this image
    imageSelector: ghcr.io/blikk-software/app-integrations:1.0.0
    # Replace the container image with this dev-optimized image (allows to skip image building during development)
    devImage: ghcr.io/loft-sh/devspace-containers/go:1.18-alpine
    # Sync files between the local filesystem and the development container
    sync:
      - path: ./
        printLogs: true
        excludePaths:
          - .git/
          - .github/
          - .vscode/
          - .postman/
          - charts/
          - postman/
          - httprequests/
          - coverage.out
          - .air.toml
    # Open a terminal and use the following command to start it
    terminal:
      command: ./devspace_start.sh
    # Inject a lightweight SSH server into the container (so your IDE can connect to the remote dev env)
    ssh:
      enabled: true
    # Make the following commands from my local machine available inside the dev container
    proxyCommands:
      - command: devspace
      - command: kubectl
      - command: helm
      - command: git
    # Forward the following ports to be able access your application via localhost
    ports:
      - port: "8080"
    # Open the following URLs once they return an HTTP status code other than 502 or 503
    open:
      - url: http://localhost:8080

# Use the `commands` section to define repeatable dev workflows for this project
commands:
  migrate-db:
    command: |-
      echo 'This is a cross-platform, shared command that can be used to codify any kind of dev task.'
      echo 'Anyone using this project can invoke it via "devspace run migrate-db"'

# Define dependencies to other projects with a devspace.yaml
# dependencies:
#   api:
#     git: https://...  # Git-based dependencies
#     tag: v1.0.0
#   ui:
#     path: ./ui        # Path-based dependencies (for monorepos)

Local Environment:

Client Version: v1.25.0 Kustomize Version: v4.5.7 Server Version: v1.24.0

Anything else we need to know?

As far as I know the root level images configuration entry is not relevant in the case of devspace dev, but I do not understand how the dev.app.imageSelector entry works and why it is needed since I only want to use my current directory and two way sync it to the deployed container. But I know that my Dockerfile that is used in the dev.app.imageSelector image is creating a user and giving it permissions to the files and then in the deploy stage of the Dockerfile that user is non existent.

# syntax=docker/dockerfile:1

##
## Build
##
FROM golang:1.18-alpine AS build

WORKDIR /app
RUN adduser -u 5678 --disabled-password --gecos "" appuser && chown -R appuser /app

COPY go.mod ./
COPY go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /bin/integrations ./cmd/integrations/

##
## Deploy
##
FROM scratch as final
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
LABEL org.opencontainers.image.source https://github.com/blikk-software/integrations

COPY --from=build /bin/integrations /.

EXPOSE 8080
ENTRYPOINT ["./integrations"]
matskiv commented 1 year ago

The problem in this case is that the devImage allows only root user to write into /app. I will send a PR for the https://github.com/loft-sh/devspace-containers to make /app writeable by any user, so this issue can be assigned to me.

stavbernazanv commented 1 year ago

Is there any progress with using non-root users? Having the same issues with a nodejs dockerfile

lizardruss commented 1 year ago

@unnsteinngardars I think in your case, the image used is a result of the final build target, and the chown used in the build target no longer applies.

Since you already have a build target, I might suggesting using that as your devImage. This would allow you to chown or chmod /app as needed.

For example:

images:
  app:
    image: ghcr.io/blikk-software/app-integrations:1.0.0
    dockerfile: ./Dockerfile
  app-dev:
    image: ghcr.io/blikk-software/app-integrations:1.0.0-dev
    dockerfile: ./Dockerfile
    target: build

dev:
  app:
    imageSelector: ghcr.io/blikk-software/app-integrations:1.0.0
    devImage: ghcr.io/blikk-software/app-integrations:1.0.0-dev