azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard

Published 20 hours ago verified publisher icon Azure

PermissionError: [Errno 13] Permission denied: '/.azure' when run as container in Jenkins docker agent pipeline !

Open wdrdres3qew5ts21 opened this issue 5 years ago • 11 comments

Sorry but this problem still persistent if you using "Jenkins Docker in Docker" If you using Azure CLI container run in you local laptop it will works fine but if you use it for run as container in Jenkins pipeline you will face permission problem because "az" executed bin need to run as root !!!

image

image

image

image]

because Jenkins didn't give you "root user" to the container because security issues in privilege escalation attack ! So if you type anycommand relate to "root user" you will get broken output even "whoami" command !!! The way to fix is you give additional user argument to container while run it on Jenkins pipeline

Quick and Dirty way to fixing this problem

agent {
   docker {
        image 'mcr.microsoft.com/azure-cli:2.8.0'
        args "--user root --privileged"
    }
}

image

You will fix this problem !!! But why do "Azure CLI need root user ?" I don't know about internal code in Azure CLI so hope Microsoft Team can help to fix this problem without needed az bin executed as root. Thank you very much 😭😭😭 Tracing error

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/local/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/local/lib/python3.6/site-packages/azure/cli/__main__.py", line 33, in <module>
    az_cli = get_default_cli()
  File "/usr/local/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 599, in get_default_cli
    from azure.cli.core.azlogging import AzCliLogging
  File "/usr/local/lib/python3.6/site-packages/azure/cli/core/azlogging.py", line 30, in <module>
    from azure.cli.core.commands.events import EVENT_INVOKER_PRE_CMD_TBL_TRUNCATE
  File "/usr/local/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 28, in <module>
    from azure.cli.core.extension import get_extension
  File "/usr/local/lib/python3.6/site-packages/azure/cli/core/extension/__init__.py", line 18, in <module>
    az_config = CLIConfig(config_dir=GLOBAL_CONFIG_DIR, config_env_var_prefix=ENV_VAR_PREFIX)
  File "/usr/local/lib/python3.6/site-packages/knack/config.py", line 38, in __init__
    ensure_dir(config_dir)
  File "/usr/local/lib/python3.6/site-packages/knack/util.py", line 111, in ensure_dir
    raise e
  File "/usr/local/lib/python3.6/site-packages/knack/util.py", line 108, in ensure_dir
    os.makedirs(d)
  File "/usr/local/lib/python3.6/os.py", line 220, in makedirs
    mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/.azure'

Originally posted by @wdrdres3qew5ts21 in https://github.com/Azure/azure-cli/issues/613#issuecomment-651812788

wdrdres3qew5ts21 avatar Jun 30 '20 14:06 wdrdres3qew5ts21

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @narula0781, @ashishonce, @romil07.

ghost avatar Jun 30 '20 15:06 ghost

Jenkins

yonzhan avatar Jun 30 '20 15:06 yonzhan

Hi @wdrdres3qew5ts21, Azure CLI is never designed to be run as root only.

#613 is talking about a separate issue.

The config directory should be your HOME folder + /.azure, such as /home/foo/.azure:

https://github.com/Azure/azure-cli/blob/3b4d10d473a8d72dc2a1607478beb14424ce2004/src/azure-cli-core/azure/cli/core/_environment.py#L10-L12

But in your case, it is /.azure:

PermissionError: [Errno 13] Permission denied: '/.azure'

Could you please check if your HOME environment variable has been somehow corrupted?

$ echo $HOME
/home/foo

jiasli avatar Jul 01 '20 06:07 jiasli

I already try $HOME enviroment variable it still working fine. But it located to "/ " directory thay perhaps why my error is:

PermissionError: [Errno 13] Permission denied: '/.azure'

Because

The config directory should be your HOME folder + /.azure

image

wdrdres3qew5ts21 avatar Jul 01 '20 14:07 wdrdres3qew5ts21

Try to run the docker as a non-root user with -u option: https://github.com/Azure/azure-cli#docker

fengzhou-msft avatar Jul 01 '20 15:07 fengzhou-msft

Sorry for late in reply your message I already try both way it still didn't work. It seem like I must create new Dockerfile base on AzureCLI by myself then adding new user on Dockerfile command step If I really want to run with another user than Root user.

--user $(id -u):$(id -g) -v ${HOME}:/home/az -e HOME=/home/az

image image

--user $UID:$GID

image image

wdrdres3qew5ts21 avatar Jul 15 '20 08:07 wdrdres3qew5ts21

According to this answer, docker-workflow-plugin hardcoded the --user to be the result of whoami, so you actually don't need to provide --user again. In your case, it's an unknown user to the conatiner with uid 1000. Then the home(~) directory falls back to the root directory /. You need args '-v ${HOME}:/home/az -e HOME=/home/az' to make the home directory inside the docker to be one that user 1000 has the right permission.

fengzhou-msft avatar Jul 21 '20 15:07 fengzhou-msft

Thank you for your help but I think this might be the complicate problem one because now I got stuck at the first problem again that

az aks install-cli
Downloading client to "/usr/local/bin/kubectl" from "https://storage.googleapis.com/kubernetes-release/release/v1.18.6/bin/linux/amd64/kubectl"
Connection error while attempting to download client ([Errno 13] Permission denied: '/usr/local/bin/kubectl')

image

image The last resort left is must use Root user... because same problem again "whoami" didn't work so "sudo" didn't work too 😥😥😥

wdrdres3qew5ts21 avatar Jul 22 '20 08:07 wdrdres3qew5ts21

Hello same issue here,

Need to be root with -u 0 for execute this image in jenkins.

ktibi avatar Aug 06 '20 11:08 ktibi

A workaround is to redefine a custom image from the azure-cli one with a custom user as below

FROM mcr.microsoft.com/azure-cli:latest
RUN mkdir -p /home/user && adduser --disabled-password user
USER user
WORKDIR /home/user

andreadecorte avatar Oct 15 '21 20:10 andreadecorte

Hello,

I ran into the same issue. Perhaps a cleaner workaround is to override the Azure configuration directory thanks to the AZURE_CONFIG_DIR environment variable. See https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration?view=azure-cli-latest#cli-configuration-file.

I set it to the workspace directory as it should always be writeable:

environment {
    AZURE_CONFIG_DIR = "${env.WORKSPACE}/.azure"
}

This way, there is no need to pass additional arguments to the docker.

guillaume-roche avatar Sep 21 '22 09:09 guillaume-roche

use USER root this worked for me

Vinaysv18 avatar Oct 13 '22 11:10 Vinaysv18

Hello,

I ran into the same issue. Perhaps a cleaner workaround is to override the Azure configuration directory thanks to the AZURE_CONFIG_DIR environment variable. See https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration?view=azure-cli-latest#cli-configuration-file.

I set it to the workspace directory as it should always be writeable:

environment {
    AZURE_CONFIG_DIR = "${env.WORKSPACE}/.azure"
}

This way, there is no need to pass additional arguments to the docker.

This worked for me - probably the best solution.

zammitjohn avatar Jan 24 '24 12:01 zammitjohn