From 3956c7f33f349d929fc1ce721d5f18851d5b70fe Mon Sep 17 00:00:00 2001 From: Michael Prokop Date: Fri, 24 Mar 2023 17:30:51 +0100 Subject: [PATCH] MT#56935 Docker/testrunner: adjust setup for new safe.directory behavior of git In more recent versions, Git upstream does an owner check for the top-level directory (see git upstream commit 8959555ce), also see https://github.blog/2022-04-12-git-security-vulnerability-announced/ This change is included in git versions >=2.30.3, >=2.31.2, >=2.34.2, >=2.35.2 + >=2.36.0-rc2, and therefore also affects the Git package v2.35.2-1 as present in current Debian/unstable (as of 2022-04-16). Because of that libtcap-abi-check-docker fails for us with: | fatal: detected dubious ownership in repository at '/code' | To add an exception for this directory, call: | | git config --global --add safe.directory /code Running `git config --add safe.directory ...` as implemented in jenkins-config's git rev 77040321 won't work though, as the resulting .git/config won't be considered for security issues, so the `--global` switch is essential and needs to be used as reported by the error message mentioned above. Now what was more tricky and required some more debugging: We pass the environment of the Jenkins job down to the docker environment (via --env-file=...), but we're running the docker container with root user. Therefore the ~/.gitconfig inside the docker environment is expected to be located at /var/lib/jenkins/, while we could only prepare the one at /root/.gitconfig (without hardcoding jenkins UID etc upfront in the docker image, which is clearly an approach to avoid). So when we're running testrunner inside a docker environment and we are running as user root, let's make sure to set $HOME to /root as one might expect. Then the ~/.gitconfig with the safe.directory can be found as expected. Change-Id: I81b7764945f80cfb415779c2bc8bcf1fcd339b40 (cherry picked from commit 52e3b6688b60a36d7a668f29f4d60c3651bd288d) --- t/Dockerfile | 4 +++- t/testrunner | 10 ++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/t/Dockerfile b/t/Dockerfile index 7b6b16c..0295673 100644 --- a/t/Dockerfile +++ b/t/Dockerfile @@ -5,7 +5,7 @@ FROM docker.mgm.sipwise.com/sipwise-bullseye:latest # is updated with the current date. It will force refresh of all # of the base images and things like `apt-get update` won't be using # old cached versions when the Dockerfile is built. -ENV REFRESHED_AT 2021-05-03 +ENV REFRESHED_AT 2023-03-24 RUN apt-get update && \ apt-get install --assume-yes \ @@ -17,6 +17,8 @@ RUN apt-get update && \ RUN echo './t/testrunner' >>/root/.bash_history +RUN git config --global --add safe.directory /code + WORKDIR /code/ ################################################################################ diff --git a/t/testrunner b/t/testrunner index b39367a..40a93ab 100755 --- a/t/testrunner +++ b/t/testrunner @@ -36,6 +36,16 @@ if [ -z "${branch:-}" ] ; then branch="none" fi +# only run inside docker environments as root user +if [ -f /.dockerenv ] && [[ "$(id -u)" == "0" ]] ; then + # the environment passed to docker might claim to have + # /var/lib/jenkins for $HOME, but we might be running + # under user root, so ensure the ~/.gitconfig can be found + # at the appropriate place + echo "Fixing HOME for user root (changing from '${HOME}' to '/root')" + export HOME=/root/ +fi + if [[ "${release}" =~ ^release-mr ]] ; then echo "release detected" short_release=${release%%-update}