containerbaseDir in emptyDir does not work with persistence

[vquie]

Hi,

I just saw that containerbaseDir in combination with persistence ist not working. I don't know if it should work since an emptyDir will be mounted inside a pvc. Maybe it also has something to do with fsGroup: 1000 which I had to setup. Otherwise the cache did not work at all.

Is this an issue or am I just deploying it wrong?

"stderr": "You don't have permission to create /tmp/renovate/cache/containerbase.\ncurl: (23) Failed writing received data to disk/application\nDownload failed: https://nodejs.org/dist/v18.14.0/node-v18.14.0-linux-x64.tar.xz\nbash: npm: command not found\n",

I am running in EKS with gp3 volumes.

Thanks.

[viceice]

you probably need to prepare the volume with the right rights before mounting it to renovate

[viceice]

we can accept a PR which adds a conditional startup container to change volume permission as root. that should be disabled by default.

[vquie]

This is not about fsgroup. Is it possible to mount an emptyDir on a pvc? This is what is happening here. I think there needs to be a switch to allow a different mount point for the emptydir when using persistence in the main container.

[viceice]

🤷‍♂️ make a PR which suggested changes and I'll review it.

[kvanzuijlen]

@vquie Are you able to post your helm configuration so I can try to reproduce this issue? I can try and look into this issue if I'm able to reproduce it. As far as I know, an emptyDir should be mountable on a PVC (since in the end, these are just Linux mounts).

[vquie]

I dug a little deeper.

This is the relevant part of the config:

---
securityContext:
  fsGroup: 1000
renovate:
  config: |
    {
      "platform": "gitlab"
    }
  persistence:
    cache:
      enabled: true
      storageClass: "my-default-storageclass"
      storageSize: "50Gi"
dind:
  enabled: true
  slim:
    enabled: true
env:
  RENOVATE_DRY_RUN: "null"
  RENOVATE_AUTODISCOVER: "false"
  RENOVATE_REPOSITORIES: |
    [
      {
        "repository": "my-repo"
      }
    ]
  RENOVATE_PERSIST_REPO_DATA: "true"
  RENOVATE_REPOSITORY_CACHE: "enabled"
  RENOVATE_REPOSITORY_CACHE_TYPE: "local"

This is what is deployed to the cluster:

          containers:
            - name: renovate
              [...]
              volumeMounts:
              [...]
              - name: renovate-cache
                mountPath: /tmp/renovate
              - name: renovate-tmp-volume
                mountPath: /tmp

            - name: renovate-dind
              [...]
              volumeMounts:
                - name: renovate-tmp-volume
                  mountPath: /tmp
          volumes:
            [...]
            - name: renovate-cache
              persistentVolumeClaim:
                claimName: renovate-cache
            - name: renovate-tmp-volume
              emptyDir: {}

As you can see renovate-tmp-volume, the emptyDir, is mounted to /tmp. Default containerbaseDir resides in /tmp/renovate/cache though which is mounted inside the persistentVolumeClaim .

Maybe there needs to be a switch to change containerbaseDir if docker-in-docker is enabled?

[viceice]

as the slim image can now be used with install mode, you should use that instead of dind. just set the binary source ENV var to install, set slim to true and disable dind.

we should document that and prefer over docker mode.

[vquie]

That would be great. How can I enable slim without updating the tag by myself? I would like to keep up with the image version of the chart. Enabling slim in the dind scope does not work if dind is disabled.

[viceice]

ok, we need to change it then. so we can support slim without dind.

[viceice]

• #281

[viceice]

• #298

Can anybody verify that it's working with slim image and install mode?

[vquie]

I am using this and had no issues so far.

[viceice]

So we can close this issue?

• #298

[viceice]

closing due to inactivity and dropped DinD support