Docker Runner Fails With Permission Denied Errors in Build Log

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Docker runner fails on Fedora/CentOS/RHEL with SELinux in enforcing mode. Bamboo build fails with a permission denied error in logs because directories mounted from a host to a container are not accessible even for a root container user.

Environment

The issue can be reproduced with any Bamboo version on Fedora/CentOS/RHEL with SELinux running in enforcing mode.

Diagnosis

Build in Docker fails, and you will see the following errors in the job build log:

1 /tmp/runInDocker8004722310245392322.sh: /home/bamboo/bamboo-agent-home/temp/IPT-BPTD-JOB1-23-ScriptBuildTask-2477866816195297390.sh: Permission denied

In this particular example, a mounted script with script task syntax cannot be accessed. There can be similar issues with accessing source code in a working directory mounted into a Docker container, for example:

1 /tmp/runInDocker2036597224817806522.sh: 2: cd: can't cd to /home/bamboo/bamboo-agent-home/xml-data/build-dir/TEST-TES4-JOB1

Cause

By default, Docker container processes run with the system_u:system_r:svirt_lxc_net_t:s0 label. The svirt_lxc_net_t type is allowed to read/execute most content under /usr, but it is not allowed to use most other types on the system. As a result, when Bamboo starts a build container and mounts temp and working directories, everything in these directories is not accessible for a user (even if it's root) in the container. This results in exec failures, since mounted files cannot be accessed and thus job tasks cannot be executed.

Solution

There are 4 solutions, ranging from the easiest and less secure to a bit more complicated and secure

Turn off SELinux

Of course, this can be a no-go due to security reasons, however, if turning SELinux off is an option, you can do so, and this will fix the issue.

Run container in a privileged mode

This is possible only in 7.1+ versions with the introduction of extra Docker run arguments. Running containers in a privileged mode can also open security risks, so, do it with caution:

(Auto-migrated image: description temporarily unavailable)

Manually add a label to host directory

Attach a proper SELinux policy type label to Bamboo home (xml data or temp, or the entire Bamboo home directory)

1 2 chcon -Rt svirt_sandbox_file_t /home/bamboo/bamboo-agent-home/xml-data chcon -Rt svirt_sandbox_file_t /home/bamboo/bamboo-agent-home/temp

Add :z suffix to volume mount binding

You can also let Docker do the labeling for you by appending :z suffix to a volume mount binding (container directory) in Bamboo UI (Docker configuration for a job).

(Auto-migrated image: description temporarily unavailable)

Updated on March 24, 2025
Platform
Data Center only
Product
Bamboo Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community