https://pulumi.com logo
Powered by
Title
g

gorgeous-minister-41131

03/23/2023, 3:49 AM
did some behavior recently change with Pulumi from 3.53 -> 3.58 (and now 3.59?) -- I've been using it as an ArgoCD CMP for a while now, and it seems now pulumi wants to run 
pulumi about
no matter what you run even if you just want to 
pulumi update -C somedir/
in the pwd. For example... ArgoCD strips the root /tmp/_argocd-repo of all read permissions [not sure why, but it's just the behavior it seems to exhibit https://github.com/argoproj/argo-cd/blob/master/reposerver/repository/repository.go#L175]. I can see if I can work around it, but I'm curious why the actions of 
pulumi about
seem to implicitly run now when doing a 
pulumi update
in a project in the current working directory... TBH this isn't a problem unique to just argo, since it is certainly appropriate for someone to restrict access at the root of a directory, but allow permission in a subdirectory of that directory. Pulumi has no business trying to traverse from the top of the basedir root IMO. Anyways it is reported as an error, but when the 
pulumi update
is run it seems to fail with exit codes... 
argocd@argo-cd-argocd-repo-server-55d7cdfb97-xtkp7:/tmp/_argocd-repo/52c01366-05dc-4758-9681-a63572526b17/infra$ pulumi about
CLI
Version      3.59.0
Go Version   go1.20.2
Go Compiler  gc

Host
OS       ubuntu
Version  22.04
Arch     x86_64

Pulumi locates its logs in /tmp by default
warning: Failed to read project: failed to locate Pulumi.yaml project file: open /tmp/_argocd-repo: permission denied
argocd@argo-cd-argocd-repo-server-55d7cdfb97-xtkp7:/tmp/_argocd-repo/52c01366-05dc-4758-9681-a63572526b17/infra$ stat $(pwd)
  File: /tmp/_argocd-repo/52c01366-05dc-4758-9681-a63572526b17/infra
  Size: 193       	Blocks: 0          IO Block: 4096   directory
Device: 10301h/66305d	Inode: 75495274    Links: 9
Access: (0755/drwxr-xr-x)  Uid: (  999/  argocd)   Gid: (  999/  argocd)
Access: 2023-03-23 03:44:11.481492993 +0000
Modify: 2023-03-23 03:44:11.517493089 +0000
Change: 2023-03-23 03:44:11.517493089 +0000
 Birth: 2023-03-23 03:44:11.481492993 +0000
Perhaps this is some weird implicit behavior of some common lib/function/etc, but it just smells wrong.
argocd@argo-cd-argocd-repo-server-55d7cdfb97-xtkp7:/tmp/_argocd-repo/52c01366-05dc-4758-9681-a63572526b17/infra$ pulumi whoami
error: failed to locate Pulumi.yaml project file: open /tmp/_argocd-repo/52c01366-05dc-4758-9681-a63572526b17/infra: permission denied
it seems to be invoked by the whoami logic, and I see this stuff was recently changed in recent merges
argocd@argo-cd-argocd-repo-server-55d7cdfb97-xtkp7:/tmp/_argocd-repo/52c01366-05dc-4758-9681-a63572526b17/infra$ pulumi login file:///tmp/tmp.Wqvf7DFQPz
error: failed to locate Pulumi.yaml project file: open /tmp/_argocd-repo/52c01366-05dc-4758-9681-a63572526b17/infra: permission denied
argocd@argo-cd-argocd-repo-server-55d7cdfb97-xtkp7:/tmp/_argocd-repo/52c01366-05dc-4758-9681-a63572526b17/infra$ echo $?
255
I think I pinpointed the actual exit code
it's during the 
pulumi login
phase
https://github.com/pulumi/pulumi/issues/12481
I opened/reported this - I know it's a strange edgecase, but it is one indeed.
I can reliably reproduce it just by creating a directory structure that removes read from the root-parent.
Also if anyone else runs into this, I was able to workaround it by doing 
cd $HOME
		${PULUMI_CMD} login file://$pulumi_state_temp
		cd -
It appears that pulumi update works just fine - it is just login that barfs on the permission problem
2 Views
#generalJoin Slack
Powered by