MT#56935 Docker/testrunner: adjust setup for new safe.directory behavior of git

In more recent versions, Git upstream does an owner check for the top-level directory (see git upstream commit 8959555ce), also see https://github.blog/2022-04-12-git-security-vulnerability-announced/ This change is included in git versions >=2.30.3, >=2.31.2, >=2.34.2, >=2.35.2 + >=2.36.0-rc2, and therefore also affects the Git package v2.35.2-1 as present in current Debian/unstable (as of 2022-04-16). Because of that libtcap-abi-check-docker fails for us with: | fatal: detected dubious ownership in repository at '/code' | To add an exception for this directory, call: | | git config --global --add safe.directory /code Running `git config --add safe.directory ...` as implemented in jenkins-config's git rev 77040321 won't work though, as the resulting .git/config won't be considered for security issues, so the `--global` switch is essential and needs to be used as reported by the error message mentioned above. Now what was more tricky and required some more debugging: We pass the environment of the Jenkins job down to the docker environment (via --env-file=...), but we're running the docker container with root user. Therefore the ~/.gitconfig inside the docker environment is expected to be located at /var/lib/jenkins/, while we could only prepare the one at /root/.gitconfig (without hardcoding jenkins UID etc upfront in the docker image, which is clearly an approach to avoid). So when we're running testrunner inside a docker environment and we are running as user root, let's make sure to set $HOME to /root as one might expect. Then the ~/.gitconfig with the safe.directory can be found as expected. Change-Id: I81b7764945f80cfb415779c2bc8bcf1fcd339b40 (cherry picked from commit 52e3b6688b)
3 years ago · 3956c7f33f
parent 752e098853
commit 3956c7f33f
2 changed files with 13 additions and 1 deletions
--- a/t/Dockerfile
+++ b/t/Dockerfile
@ -5,7 +5,7 @@ FROM docker.mgm.sipwise.com/sipwise-bullseye:latest
 # is updated with the current date. It will force refresh of all
 # of the base images and things like `apt-get update` won't be using
 # old cached versions when the Dockerfile is built.
-ENV REFRESHED_AT 2021-05-03
+ENV REFRESHED_AT 2023-03-24

 RUN apt-get update && \
    apt-get install --assume-yes \
@ -17,6 +17,8 @@ RUN apt-get update && \

 RUN echo './t/testrunner' >>/root/.bash_history

+RUN git config --global --add safe.directory /code
+
 WORKDIR /code/

 ################################################################################
--- a/t/testrunner
+++ b/t/testrunner
@ -36,6 +36,16 @@ if [ -z "${branch:-}" ] ; then
  branch="none"
 fi

+# only run inside docker environments as root user
+if [ -f /.dockerenv ] && [[ "$(id -u)" == "0" ]] ; then
+  # the environment passed to docker might claim to have
+  # /var/lib/jenkins for $HOME, but we might be running
+  # under user root, so ensure the ~/.gitconfig can be found
+  # at the appropriate place
+  echo "Fixing HOME for user root (changing from '${HOME}' to '/root')"
+  export HOME=/root/
+fi
+
 if [[ "${release}" =~ ^release-mr ]] ; then
  echo "release detected"
  short_release=${release%%-update}