Skip to content

fix(dind): set fsGroup so executor can write to ephemeral scratch volume#882

Merged
michaellzc merged 1 commit into
mainfrom
fix/dind-scratch-permissions
Jun 6, 2026
Merged

fix(dind): set fsGroup so executor can write to ephemeral scratch volume#882
michaellzc merged 1 commit into
mainfrom
fix/dind-scratch-permissions

Conversation

@michaellzc
Copy link
Copy Markdown
Member

@michaellzc michaellzc commented Jun 6, 2026
edited
Loading

Summary

  • Add executor.podSecurityContext defaulting to fsGroup: 101 so the sourcegraph user (uid=100, gid=101) can write to the /scratch volume
  • Fixes permission denied errors when creating job workspace directories under /scratch with ephemeral storage

Root cause

Executors running in Docker mode (dind) create job workspaces as directories under $TMPDIR (/scratch). When storage.type: ephemeral, the PVC is mounted root:root 755 — the sourcegraph non-root user can't write to it.

This was never hit before because dind executors previously ran in emptyDir only, which is not affected

Test plan

  • Deploy with storage.type: ephemeral and confirm workspace directories are created without permission errors
  • Confirm emptyDir deployments are unaffected

@michaellzc michaellzc requested a review from a team June 6, 2026 02:53
@michaellzc michaellzc force-pushed the fix/dind-scratch-permissions branch from 50afb81 to 66999d7 Compare June 6, 2026 02:54
@michaellzc michaellzc requested review from a team June 6, 2026 02:54
@michaellzc @claude
fix(dind): set fsGroup so executor can write to ephemeral scratch volume
fe3ad24 
Executors running in Docker mode (dind) prepare job workspaces by
creating directories under $TMPDIR (/scratch). When storage.type is
ephemeral, the PVC is mounted root:root 755 and the sourcegraph user
(uid=100, gid=101) cannot create directories there.

Added executor.podSecurityContext defaulting to fsGroup: 101, which
causes Kubernetes to chown mounted volumes to the sourcegraph group on
mount. This is a no-op for emptyDir (already 1777) and only matters
for ephemeral PVCs.

Root cause: Docker mode (EXECUTOR_USE_KUBERNETES=false) was only
introduced in sourcegraph/sourcegraph#12881 — previously dind executors
ran in KubernetesMode and never wrote to the local /scratch directory.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@michaellzc michaellzc force-pushed the fix/dind-scratch-permissions branch from 66999d7 to fe3ad24 Compare June 6, 2026 02:55
@michaellzc michaellzc enabled auto-merge (squash) June 6, 2026 02:56
@michaellzc michaellzc merged commit 143b7c3 into main Jun 6, 2026
5 checks passed
@michaellzc michaellzc deleted the fix/dind-scratch-permissions branch June 6, 2026 03:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcleblanc2 marcleblanc2 marcleblanc2 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michaellzc @marcleblanc2