sipwise
/
libtcap
mirror of https://github.com/sipwise/libtcap.git
1
0
Fork 0
Code Issues Releases Wiki Activity

MT#56935 Docker/testrunner: adjust setup for new safe.directory behavior of git

Browse Source 
In more recent versions, Git upstream does an owner check for the
top-level directory (see git upstream commit 8959555ce), also see
https://github.blog/2022-04-12-git-security-vulnerability-announced/

This change is included in git versions >=2.30.3, >=2.31.2, >=2.34.2,
>=2.35.2 + >=2.36.0-rc2, and therefore also affects the Git package
v2.35.2-1 as present in current Debian/unstable (as of 2022-04-16).

Because of that libtcap-abi-check-docker fails for us with:

| fatal: detected dubious ownership in repository at '/code'
| To add an exception for this directory, call:
|
|       git config --global --add safe.directory /code

Running `git config --add safe.directory ...` as implemented in
jenkins-config's git rev 77040321 won't work though, as the resulting
.git/config won't be considered for security issues, so the `--global`
switch is essential and needs to be used as reported by the error
message mentioned above.

Now what was more tricky and required some more debugging:

We pass the environment of the Jenkins job down to the docker
environment (via --env-file=...), but we're running the docker container
with root user. Therefore the ~/.gitconfig inside the docker environment
is expected to be located at /var/lib/jenkins/, while we could only
prepare the one at /root/.gitconfig (without hardcoding jenkins UID etc
upfront in the docker image, which is clearly an approach to avoid).

So when we're running testrunner inside a docker environment and we are
running as user root, let's make sure to set $HOME to /root as one might
expect. Then the ~/.gitconfig with the safe.directory can be found as
expected.

Change-Id: I81b7764945f80cfb415779c2bc8bcf1fcd339b40
mr11.4.1
Michael Prokop 2 years ago
parent 6e4adae14d
commit 52e3b6688b
2 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File

4
t/Dockerfile
Unescape View File

@ -5,7 +5,7 @@ FROM docker.mgm.sipwise.com/sipwise-bullseye:latest
# is updated with the current date. It will force refresh of all # is updated with the current date. It will force refresh of all
# of the base images and things like `apt-get update` won't be using # of the base images and things like `apt-get update` won't be using
# old cached versions when the Dockerfile is built. # old cached versions when the Dockerfile is built.
ENV REFRESHED_AT 2021-05-03 ENV REFRESHED_AT 2023-03-24
RUN apt-get update && \ RUN apt-get update && \
apt-get install --assume-yes \ apt-get install --assume-yes \
@ -17,6 +17,8 @@ RUN apt-get update && \
RUN echo './t/testrunner' >>/root/.bash_history RUN echo './t/testrunner' >>/root/.bash_history
RUN git config --global --add safe.directory /code
WORKDIR /code/ WORKDIR /code/
################################################################################ ################################################################################

10
t/testrunner
Unescape View File

@ -36,6 +36,16 @@ if [ -z "${branch:-}" ] ; then
branch="none" branch="none"
fi fi
# only run inside docker environments as root user
if [ -f /.dockerenv ] && [[ "$(id -u)" == "0" ]] ; then
# the environment passed to docker might claim to have
# /var/lib/jenkins for $HOME, but we might be running
# under user root, so ensure the ~/.gitconfig can be found
# at the appropriate place
echo "Fixing HOME for user root (changing from '${HOME}' to '/root')"
export HOME=/root/
fi
if [[ "${release}" =~ ^release-mr ]] ; then if [[ "${release}" =~ ^release-mr ]] ; then
echo "release detected" echo "release detected"
short_release=${release%%-update} short_release=${release%%-update}

Write Preview
Loading…
Cancel
Save