Permission denied to write to /tmp/renovate on fresh install with volume mount

[ahatzz11]

I am deploying a fresh install of renovate-ce 8.7.0 to kubernetes and am getting the following permission error for the /tmp/renovate folder:

DEBUG: Executing Renovate run command (repository=org/repo)                                                                                                                                                              
       "cmd": "/usr/bin/node_default /usr/src/app/node_modules/renovate/dist/renovate.js"
Error: EACCES: permission denied, mkdir '/tmp/renovate/logs/org/repo'

We're not using the helm-chart because we need to add annotations to our Secrets for our argocd-vault plugin, so I've copied what would be created by helm and am using that as our base manifest files.

When I add an init container with the following the error is resolved:

      initContainers:
        - name: init-permissions
          image: busybox
          command: ["sh", "-c", "chmod -R 777 /tmp/renovate"]
          volumeMounts:
          - name: cache
            mountPath: /tmp/renovate

I've done a little debugging around this, and it seems like the renovate-ee folder is owned by the ubuntuuser, but the renovate user is owned by root:

$ whoami
ubuntu

$ ls -lah
total 1.1M
drwxrwxrwt 1 root   root 4.0K Nov 26 22:46 .
drwxr-xr-x 1 root   root 4.0K Nov 26 22:43 ..
-rw-r--r-- 1 root   root  676 Aug 27 04:15 core-js-banners
-rw-r--r-- 1 ubuntu root 1.1M Nov 26 22:46 database.sqlite
-rw-r--r-- 1 ubuntu root 8.6K Nov 26 22:46 database.sqlite-journal
drwxr-xr-x 3 root   root 4.0K Nov 26 22:40 renovate
drwxr-xr-x 2 ubuntu root 4.0K Nov 26 22:43 renovate-ee

This kind of seems like a missed directory permission issue in the docker container, but it's certainly possible we're doing something different from the helm-chart. Below are some of our manifest snippets if that helps.

pvc: ```yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: renovate-cache labels: app: renovate spec: accessModes: - ReadWriteOnce resources: requests: storage: 200Gi storageClassName: standard-rwo ``` deployment: ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: renovate spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: renovate template: metadata: labels: app: renovate spec: # initContainers: # - name: init-permissions # image: busybox # command: ["sh", "-c", "chmod -R 777 /mnt/renovate"] # volumeMounts: # - name: cache # mountPath: /mnt/renovate containers: - name: renovate image: ghcr.io/mend/renovate-ce:8.7.0 imagePullPolicy: IfNotPresent env: ... ports: - name: http containerPort: 8080 protocol: TCP livenessProbe: ... readinessProbe: ... resources: ... volumeMounts: # These volume mounts should NOT overwrite the entire /usr/src/app # directory. Only mount in files at specific locations within that directory # that do not overlap with other critical files (like server.js). - name: config mountPath: /usr/src/app/config.json subPath: config.json - name: github-app-key mountPath: /usr/src/app/renovate.private-key.pem subPath: renovate.private-key.pem - name: cache mountPath: /tmp/renovate volumes: ... - name: cache persistentVolumeClaim: claimName: renovate-cache ```

[atanev]

@ahatzz11 you can try adding securityContext to your deployment letting Kubernetes know more about the runtime user, the important part for you I think would be Configure volume permission and ownership change policy for Pods

 securityContext:  
   fsGroup: 1000   
   runAsUser: 1000