[BUG]: VMSS agents go offline due to lack of adequate permissions for AzDevOps user for agent directory.

[sicil1ano]

What happened?

Like I reported in this issue, VMSS agents go offline due to lack of adequate permissions not granted to the AzDevOps user created by the VMSS extension and used to interact with Azure DevOps.
To be specific, permissions are missing to let AzDevOps user properly use the agent directory.
This can be seen by running ./run.sh --diagnostics command (I wish I discovered it before). This is the output:

adminuser@vmss-agents-142:/agent$ ./run.sh --diagnostics
Unhandled exception. System.UnauthorizedAccessException: Access to the path '/agent/_diag/Agent_20240604-105127-utc.log' is denied.
 ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirectory, Func`2 errorRewriter)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)
   at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)
   at Microsoft.VisualStudio.Services.Agent.HostTraceListener.CreatePageLogWriter() in /mnt/vss/_work/1/s/src/Microsoft.VisualStudio.Services.Agent/HostTraceListener.cs:line 178
   at Microsoft.VisualStudio.Services.Agent.HostTraceListener..ctor(String logFileDirectory, String logFilePrefix, Int32 pageSizeLimit, Int32 retentionDays) in /mnt/vss/_work/1/s/src/Microsoft.VisualStudio.Services.Agent/HostTraceListener.cs:line 50
   at Microsoft.VisualStudio.Services.Agent.HostContext..ctor(HostType hostType, String logFile) in /mnt/vss/_work/1/s/src/Microsoft.VisualStudio.Services.Agent/HostContext.cs:line 135
   at Microsoft.VisualStudio.Services.Agent.Listener.Program.Main(String[] args) in /mnt/vss/_work/1/s/src/Agent.Listener/Program.cs:line 28
./run.sh: line 68:  3425 Aborted                 (core dumped) "$DIR"/bin/Agent.Listener run $*

Once I solved the permissions for agent/_diag folder, similar problems happened for other folders.
So, to solve the problem, I executed the sudo chmod -R a+rwx agent command (be careful: it assigns read/write/execute permissions to ALL users recursively) and the agent finally worked properly.
I guess we need a more proper solution, but AzDevOps needs proper access to agent directory and its subfolders.

Versions

VMSS extension 1.23 using agent 3.239.1 / Ubuntu Server 22.04

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

No response

Version controll system

No response

Relevant log output