Permission of /var/lib/awx/projects on PV

Get Help
, ,
1

Hello guys,

i’d like to ask for help..

situation.

i installed awx operator via kustomize:

cat kustomization.yml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - github.com/ansible/awx-operator/config/default?ref=2.19.1
  - awx.yaml
images:
  - name: quay.io/ansible/awx-operator
    newTag: 2.19.1
namespace: awx

cat awx.yaml
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx
spec:
  ###postgres perm:
  postgres_data_volume_init: true

  ###ingress
  ingress_type: ingress
  ingress_hosts:
    - hostname: awx.....com
      tls_secret: awx-cert

  ###persistance storage###
  projects_persistence: true
  projects_storage_class: longhorn
  projects_storage_size: 10Gi

awxoperator is running within rke2 kubernetes cluster ,

k get pods -n awx
NAME                                               READY   STATUS      RESTARTS   AGE
awx-migration-24.6.1-6n9sc                         0/1     Completed   0          4d
awx-operator-controller-manager-77b4f86b76-9958r   2/2     Running     0          16m
awx-postgres-15-0                                  1/1     Running     0          4d
awx-task-b9b8d4d5b-5vx7m                           4/4     Running     0          10m
awx-web-6ffcfb677-xtt7q                            3/3     Running     0          16m

problem:
i configured projects/credentials/etc within awx gui to synchronize awx with gitlab repository, but sync does not work due to:

Cloning into '/var/lib/awx/projects/_8__sync_gitlab'...
fatal: could not open '/var/lib/awx/projects/_8__sync_gitlab/.git/objects/pack/tmp_pack_F5iXfZ' for reading: Permission denied
fatal: fetch-pack: invalid index-pack output

i tried put in awx.yaml : task_privileged: true/security context. etc..but nothing helps..

i think if i would be able somehow set Security Context/Pod Filesystem Group/Filesystem Group to 0 , i think it would be work… but kustomoze still rewrite this to 1000…

in case that i omit persistent volume section in awx.yaml, everything works fine, im able to make a sync and run playbook stored in gitlab…

as backend for storage using longhorn:

kubectl  get pv -n awx | grep -n  awx
pvc-010b9cce-0581-4a50-9440-e71fbeae98c5   10Gi       RWX            Retain           Bound      awx/awx-projects-claim

                                               longhorn          <unset>                          95m

permissions in pod awx-task in awx-task container:

PV mounted:

10.43.85.83:/pvc-010b9cce-0581-4a50-9440-e71fbeae98c5  9.8G     0  9.8G   0% /var/lib/awx/projects

bash-5.1$ cd /var/lib/awx/projects/
bash-5.1$ ls -l
drwxr-xr-x 2 awx  root  4096 Jul  8 10:21 _8__sync_gitlab
-rwxr-xr-x 1 awx  root     0 Jul  8 10:21 _8__sync_gitlab.lock
drwx------ 2 root root 16384 Jul  8 09:58 lost+found

bash-5.1$ ls -l
total 16
drwxrwxr-x 5 root 1000 4096 Jul  8 10:21 projects

bash-5.1$ ls -l | grep awx
drwxrwxr-x 1 root root 4096 Jul  8 10:19 awx

NO PV:

bash-5.1$ ls -ld awx/
drwxrwxr-x 1 root root 4096 Jul  8 10:31 awx/

bash-5.1$ ls -ld projects/
drwxrwxrwx 4 root root 4096 Jul  8 10:35 projects/

bash-5.1$ ls -l
total 4
drwxr-xr-x 3 awx root 4096 Jul  8 10:37 _8__sync_gitlab
-rwxr-xr-x 1 awx root    0 Jul  8 10:37 _8__sync_gitlab.lock

Screenshot 2025-07-08 at 12.46.37
Screenshot 2025-07-08 at 12.46.371367×159 15.5 KB

any idea?

Thanks in advance

L

2

solved:

i just add to awx.yaml :

security_context_settings:
    fsGroup: 0
    fsGroupChangePolicy: OnRootMismatch
    runAsGroup: 0
    runAsUser: 0

now, PV is accessible from awx gui