Grant executable permission on file contents of mountable secret (!190244) · Merge requests · GitLab.org / GitLab

Issue: gl_git_credential_store.sh should have executab... (#537910 - closed) • Ashvin Sharma • Backlog

What does this MR do and why?

Grant executable permission on file contents of mountable secret

Specifically for gl-workspace-variables secret, since it contains shell scripts that are necessary to run during the container initiailization. Earlier only the owner and the users belonging to the same group as the owner were allowed to execute it. This MR grants other users to execute these files.

This MR also gives support to run workspaces with sysbox enabled on GKE cluster that are running Linux Kernels older than 5.19.

References

gl_git_credential_store.sh should have executab... (#537910 - closed) • Ashvin Sharma • Backlog

How to set up and validate locally

Set up a kubernetes cluster (GKE only).
Install sysbox in that cluster.
Create an agent configuration that enables sysbox.
Create workspace and run on the cluster. Expectation is that the workspace should not fail.
1. kubectl get pod to see if the workspaces pods are up.
2. kubectl exec -it <pod name> -- bash to exec into the pod.
3. cd /.workspace-data/variables/file/..data to change directory to the mounted secret.
  1. Run ls -al to see the ownership of all the files in directory. All files should have 555 permission bits, in other words, all files should be readable and executable.
4. cd /projects/<repository> to change the directory to move to the cloned repository.
  1. touch new_file && git add new_file && git commit -m "test git credentials" && git push to make sure this pod can do a successful git push.

Test output

On sysbox containers

gitlab-workspaces@workspace-6-1-dl81x4-799cbccd95-b6c7v:/.workspace-data/variables/file/..data$ ls -al
total 12
drwxr-sr-x 2 nobody nogroup 100 May  7 13:35 .
drwxrwsrwt 3 nobody nogroup 140 May  7 13:35 ..
-r-xr-xr-x 1 nobody nogroup 470 May  7 13:35 gl_git_credential_store.sh
-r-xr-xr-x 1 nobody nogroup  26 May  7 13:35 gl_token
-r-xr-xr-x 1 nobody nogroup   8 May  7 13:35 gl_workspace_reconciled_actual_state.txt
gitlab-workspaces@workspace-6-1-dl81x4-799cbccd95-b6c7v:/.workspace-data/variables/file/..data$ whoami
gitlab-workspaces

On non-sysbox container

gitlab-workspaces@workspace-6-1-dqzoyi-5876486595-5j8wl:/.workspace-data/variables/file/..data$ ls -l
total 12
-r-xr-xr-x 1 root root 470 May  7 13:50 gl_git_credential_store.sh
-r-xr-xr-x 1 root root  26 May  7 13:50 gl_token
-r-xr-xr-x 1 root root   7 May  7 13:50 gl_workspace_reconciled_actual_state.txt
gitlab-workspaces@workspace-6-1-dqzoyi-5876486595-5j8wl:/.workspace-data/variables/file/..data$ whoami
gitlab-workspaces

Notice in both cases other users have executable permission which was not the case earlier.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited May 07, 2025 by Ashvin Sharma