Closed wladimiiir closed 17 hours ago
We have been able to use runAsUser: 1001
to workaround the issue. But I still think this might be unintentional behavior. Let me know you thoughts, thanks.
This seems like unintended bahavior to me as well; adding it to our project board.
Any updates here?
I think this has got even worse as the directories now have root
as an owner in v1.14.0:
ls -la /layers/
total 28
drwxr-xr-x 1 root root 4096 Jan 1 1980 .
drwxr-xr-x 1 root root 4096 Jun 17 08:42 ..
drwxr-xr-x 2 root root 4096 Jan 1 1980 config
drwxr-xr-x 3 root root 4096 Jan 1 1980 paketo-buildpacks_ca-certificates
drwxr-xr-x 3 root root 4096 Jan 1 1980 paketo-buildpacks_node-engine
drwxr-xr-x 3 root root 4096 Jan 1 1980 paketo-buildpacks_npm-install
drwxr-xr-x 3 root root 4096 Jan 1 1980 sbom
I would like to know if there is any way how to configure it, when building a KNative function (or during any other lifecycle step), so the owner stays as cnb
. Thanks.
This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen
. Mark the issue as
fresh by adding the comment /remove-lifecycle stale
.
When container starts up, we need to generate some additional code for specific library, that's located within
node_modules
(utilizing "prestart" script inpackage.json
). After version 1.12.0, this is not possible as the directory does not seem writable for the running user. This used to work with version 1.11.0 and bellow.After some debugging we have found out, that the ownership of the files have changed, which does not allow the running user to write into the directories.
This is output of
id
andls -la /layers
commands when using v1.11.0:uid=1000(cnb) gid=1000(cnb) groups=1000(cnb)
With v1.12.0 and above, we get the following output with different ownership (and uid of cnb user):
uid=1002(cnb) gid=1000(cnb) groups=1000(cnb)
It seems that the related changes have been done as part of https://github.com/knative/func/pull/1911.
We have also tried to utilize KNative security context and
"runAsUser": 1001
, but didn't work either. Is this expected behaviour? Is there anything else we are missing in our configuration? Thanks.