Open BenoitLF opened 1 year ago
Thanks @BenoitLF. This would be nice to add to our troubleshooting page. We welcome PRs if you have the time
@nitrocode and @BenoitLF for me it's not working, why enable_ephemeral_storage = true?
enable_ephemeral_storage does not work ?
@BenoitLF
If enable_ephemeral_storage == true, the EFS config is disabled as you could see in the image:
count = true = 0
I use that config
resource "aws_efs_access_point" "this" {
file_system_id = local.file_system
root_directory {
path = "/${var.application}/${var.environment}"
creation_info {
owner_gid = local.gid (1000)
owner_uid = local.uid (100)
permissions = 0750
}
}
posix_user {
gid = local.gid (1000)
uid = local.uid (100)
}
}
But is failing with: detected dubious ownership in repository
This has broke our Atlantis as well.
We do not use access points, we provision EFS, and then allow the EFS csi to do the provisioning.
We are failing to download modules
Perhaps this command needs to be running Atlantis on a new pr or in a pre workflow hook?
git config --global --add safe.directory '*'
OK, i actually figured out whats going on, but im not sure why it just now started failed.
We have atlantis in 2 clusters, handling deployments for like 20+ repos. So both are heavily used and have went through multiple upgrades etc.
We provision EFS using the EFS CSI helm chart. The default setting for your provisioner is to use a random range for the UID/GID for the EFS mount.
So the atlantis helm chart allows you to lock the uid/gid of the user to 1000:1000
( this matches the debian image before it was broken). But the EFS mount may be owned by say :1008:10008
. I had to re-create a new EFS provisioner just for atlantis, locking the UID/GID to 1000:1000
.
The other atlantis deployment is currently working.. and the EFS mount is owned by 1009:1009
so im not sure what needs to happen to trigger it to fail.
Encountered this issue from today so will try https://github.com/runatlantis/atlantis/issues/3139#issuecomment-1432882110 and it seems to have worked around the issue for now at least
you can do this too:
repos:
- id: /.*/
# allowed_overrides specifies which keys can be overridden by this repo in
# its atlantis.yaml file.
allowed_overrides: [apply_requirements, workflow]
apply_requirements: [approved,mergeable]
# allow_custom_workflows defines whether this repo can define its own
# workflows. If false (default), the repo can only use server-side defined
# workflows.
allow_custom_workflows: true
# This hook is to work around https://github.com/runatlantis/atlantis/issues/2221
pre_workflow_hooks:
- run: git config --global --add safe.directory '*'
you can do this too:
repos: - id: /.*/ # allowed_overrides specifies which keys can be overridden by this repo in # its atlantis.yaml file. allowed_overrides: [apply_requirements, workflow] apply_requirements: [approved,mergeable] # allow_custom_workflows defines whether this repo can define its own # workflows. If false (default), the repo can only use server-side defined # workflows. allow_custom_workflows: true # This hook is to work around https://github.com/runatlantis/atlantis/issues/2221 pre_workflow_hooks: - run: git config --global --add safe.directory '*'
Using this to overcome the issue as I think persistent storage makes sense (maybe I am wrong). A not so nice side effect is that now the hook, that we use as a workaround, will show up on PR status
https://github.com/runatlantis/atlantis/issues/3173 would allow getting rid of this if worked on
I'm going through it, too. But, my apply worked when with -d option.. I don't know why..
you can do this too:
repos: - id: /.*/ # allowed_overrides specifies which keys can be overridden by this repo in # its atlantis.yaml file. allowed_overrides: [apply_requirements, workflow] apply_requirements: [approved,mergeable] # allow_custom_workflows defines whether this repo can define its own # workflows. If false (default), the repo can only use server-side defined # workflows. allow_custom_workflows: true # This hook is to work around https://github.com/runatlantis/atlantis/issues/2221 pre_workflow_hooks: - run: git config --global --add safe.directory '*'
Using this to overcome the issue as I think persistent storage makes sense (maybe I am wrong). A not so nice side effect is that now the hook, that we use as a workaround, will show up on PR status
3173 would allow getting rid of this if worked on
You can just add description field that looks more appealing ;)
pre_workflow_hooks:
- run: |
git config --global --add safe.directory '*'
description: configure-git-credentials
Community Note
Overview of the Issue
Atlantis plan works but the apply does not because of a git error (similar to : this issue)
Logs
--->
Environment details