How to configure the default Umask for Bamboo Data Center or remote agent
要約
By default, files created by the Bamboo server process or remote agents are stored on the filesystem with a default umask value of 0027. This restrictive setting aligns with Tomcat's security recommendations to limit file accessibility. However, this default can sometimes interfere with build processes, causing permission errors, especially with checked-out source code or when generated artifacts require broader group access.
This guide outlines how to change the default umask for the Bamboo server and remote agents when necessary, helping you resolve permission-related build failures and manage file access effectively.
We use the 0027 permission level by default to be compliant with Tomcat security recommendations:
Symptoms / Problem Diagnosis
You might need to adjust the default umask if you encounter issues like:
Build Failures with Permission Errors: Builds running on Bamboo agents (local or remote) fail intermittently or consistently with "permission denied" errors.
Errors on Checked-Out Code: These errors often occur when scripts (like build.sh) or build tools attempt to read, write, or execute files that were checked out from source control (e.g., Git, Bitbucket) during the build. Example:
File permission error. path/to/file --- FAILED
/bin/sh: ./your_script.sh: Permission denied
Errors indicating a build process cannot modify or access files within the build working directory.
/bin/sh: ./build.sh: /bin/bash^M: bad interpreter: No such file or directory (While this specific error points to line ending issues resolvable with dos2unix, underlying permission problems can sometimes mask or accompany such errors).
Inconsistent Behavior Across Agents: A build might succeed on one agent but fail on another with permission errors, potentially due to differences in how the agent process was started or configured, leading to different effective umasks.
Need for Group Access: Build artifacts or intermediate files created by Bamboo need to be accessed or modified by other users or processes belonging to the same group as the Bamboo/agent user.
These symptoms can arise because the default umask 0027 (permissions rwxr-x---) removes write permissions for the group and all read/write/execute permissions for others. If your build process requires group write access or involves tools that expect less restrictive permissions on checked-out files, the default umask can cause failures. Changing the umask to a less restrictive value, such as 0022 (permissions rwxr-xr-x), grants group write access and read/execute access to others, often resolving these issues.
環境
Any version of Bamboo Server
Any version of Bamboo Remote Agent (including Docker agents) running on Unix-like operating systems.
ソリューション
If you've identified that the default umask is causing build problems or does not meet your access requirements, follow the steps below for the relevant component. A common alternative umask is 0022, which allows group write access.
Bamboo Server (Affects Local Agents)
Choose one of the following options:
Option 1: Export the UMASK environment variable in setenv.sh
Stop Bamboo Server.
Edit the <bamboo-install>/bin/setenv.sh file.
Add the export UMASK=0022 line immediately after the JVM_SUPPORT_RECOMMENDED_ARGS="" line (or modify an existing export UMASK line):
# Occasionally Atlassian Support may recommend that you set some specific JVM arguments.
# You can use this variable to do that. Simply uncomment the below line and add any required
# arguments. Note that this will override any specified in the BUMBLE_PROPERTIES_FILE.
#
# JVM_SUPPORT_RECOMMENDED_ARGS="-Dsome.property=true -Danother.property=false"
JVM_SUPPORT_RECOMMENDED_ARGS=""
export UMASK=0022 # <--- Add this line (replace 0022 with your desired umask) Save the file.
Start Bamboo Server.
Option 2: Adjust the default value directly in catalina.sh
Shutdown Bamboo Server.
Edit the file <bamboo-install>/bin/catalina.sh.
Locate the section that sets the default UMASK.
Modify the default value from 0027 to your desired value, for example, 0022:
# Set the default umask for processes started by Catalina
if [ -z "$UMASK" ]; then
# UMASK="0027" # <--- Comment out or remove original
UMASK="0022" # <--- Set your desired umask here
fi
umask $UMASK Save the file.
Start Bamboo Server.
Applying either of these changes sets the umask for the Bamboo server's JVM process. Consequently, any files created directly by the server or by local agents running under it should use this new permission mask. Other methods, like setting the umask in the systemd service file or the shell profile (.bashrc, .profile) of the user running Bamboo, can also achieve this. The key principle is that if the UMASK environment variable is set when the Bamboo/Tomcat process starts, Bamboo will use its value instead of the default 0027.
Remote Agent
Stop the remote agent.
Edit the <Bamboo_Agent_Home>/conf/wrapper.conf file.
Add the following property, replacing 0022 with your desired umask.
# Set the umask for the agent process
wrapper.umask=0022Save the file.
Start the remote agent using its standard startup mechanism (e.g., ./bamboo-agent.sh start or systemctl start bamboo-agent). Ensure the agent is started by the intended user.
This change will ensure that files created by this specific remote agent process (including checked-out code within its working directory) use the specified umask (0022 in the example). Repeat this process for any other remote agents experiencing similar permission issues.