Permission issues on /var/lib/awx/projects/

[fawzi-iit]

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.

Bug Summary

Permission issues on /var/lib/awx/projects/
after fresh install of latest awx & awx-operator, following the documentation to configure "Persisting Projects Directory"
all works fine except permission denied when trying to create anything under /var/lib/awx/projects/.

is there a workaround to change the owner of /var/lib/awx/projects to be awx?

AWX Operator version

2.19.1

AWX version

24.6.1

Kubernetes platform

kubernetes

Kubernetes/Platform version

k8s 1.28.5-1

Modifications

no

Steps to reproduce

kubectl exec -it awx-web-54f9d7d7c9-62lfc -n awx -- bash

bash-5.1$ id
uid=1000(awx) gid=0(root) groups=0(root)
bash-5.1$

bash-5.1$ df -kh /var/lib/awx/projects
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 39G 3.6G 36G 10% /var/lib/awx/projects
bash-5.1$

bash-5.1$ ls -ltrh /var/lib/awx/
total 12K
drwxr-xr-x 3 root root 4.0K Jul 2 2024 venv
drwxr-xr-x 3 root root 4.0K Jul 2 2024 public
drwxrwxr-x 1 root root 4.0K Jul 2 2024 rsyslog
drwxrwxr-x 2 root 1000 6 Jan 1 00:28 projects
prw------- 1 awx root 0 Jan 1 14:34 awxfifo
bash-5.1$

Expected results

bash-5.1$ ls -ltrh /var/lib/awx/
total 12K
drwxr-xr-x 3 root root 4.0K Jul 2 2024 venv
drwxr-xr-x 3 root root 4.0K Jul 2 2024 public
drwxrwxr-x 1 root root 4.0K Jul 2 2024 rsyslog
drwxrwxr-x 2 awx root 6 Jan 1 00:28 projects
prw------- 1 awx root 0 Jan 1 14:34 awxfifo
bash-5.1$

Actual results

bash-5.1$ ls -ltrh /var/lib/awx/
total 12K
drwxr-xr-x 3 root root 4.0K Jul 2 2024 venv
drwxr-xr-x 3 root root 4.0K Jul 2 2024 public
drwxrwxr-x 1 root root 4.0K Jul 2 2024 rsyslog
drwxrwxr-x 2 root 1000 6 Jan 1 00:28 projects
prw------- 1 awx root 0 Jan 1 14:34 awxfifo
bash-5.1$

Additional information

awx.yaml

---

apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
spec:
admin_user: admin
service_type: nodeport
projects_persistence: true

Operator Logs

No response

[kurokobo]

kubectl exec -it awx-web-54f9d7d7c9-62lfc -n awx -- bash

See id on task pod. The awx user in task pod has gid 1000 which can write projects dir.

[fawzi-iit]

@kurokobo Thanks for the quick response. Yes, I see gid 1000 in the task pod. previously on an attempt to make this work from the webui, I had to manually create a dir inside projects named playbooks. Now I can write to it from the webui.
is it possible to use the project directly without this workaround from the pod?

[kurokobo]

In the first place, except for the case of using a "Manual" type project, it is not really expected to manage directories and files under /var/lib/awx/projects manually.

Even if you want to use a "Manual" type project, I think it is better to perform any operations on the mounted PVC side rather than from Bash inside the Pod.