Introduction
Starting with tfc-agent version 1.19.0, the base operating system has been upgraded from Ubuntu 20.04.6 LTS (Focal Fossa) to Ubuntu 24.04.1 LTS (Noble Numbat).
As part of this update, the default permissions on the /home/tfc-agent/ directory have changed. Previously, the directory was accessible by other users. Now, access is restricted, as shown by the following permissions:
drwxr-x--- 1 tfc-agent tfc-agent 4.0K Feb 5 20:23 tfc-agent
This change may cause issues when using the TFC Agent in Terraform Enterprise (TFE) on OpenShift, particularly during terraform plan or terraform apply operations. Users may encounter a permissions error when the agent container is launched.
Problem
Users who build custom tfc-agent Docker images and run them in OpenShift may encounter an error similar to this:
Warning Failed pod/tfe-task-xxxxxx Error: container create failed: time="2025-05-02T12:31:14Z" level=error msg="runc create failed: unable to start container process: exec: \"/home/tfc-agent/bin/tfc-agent\": stat /home/tfc-agent/bin/tfc-agent: permission denied"
Prerequisites
This issue only impacts tfc-agent version 1.19.0 and newer.
Cause
The updated permissions on /home/tfc-agent restrict access to users who are not part of the tfc-agent group. This prevents the container runtime from executing the tfc-agent binary located at /home/tfc-agent/bin/tfc-agent.
Solution
To fix the issue, update your custom tfc-agent Dockerfile to grant read and execute permissions to others on the /home/tfc-agent directory.
Example Dockerfile:
FROM hashicorp/tfc-agent
USER root
RUN mkdir /.tfc-agent && \
chmod 770 /.tfc-agent && \
chmod o+rx /home/tfc-agent # Grants necessary permissions for container runtime
USER tfc-agentThis change ensures the agent binary can be executed successfully by the container runtime.
Outcome
After applying this change, the TFC Agent container should start successfully, and terraform plan and terraform apply operations will be able to run without permission-related errors.
Additional Information
N/A