Skip to content

Commit

Permalink
MT#56935 Docker/testrunner: adjust setup for new safe.directory behav…
Browse files Browse the repository at this point in the history 
…ior of git

In more recent versions, Git upstream does an owner check for the
top-level directory (see git upstream commit 8959555ce), also see
https://github.blog/2022-04-12-git-security-vulnerability-announced/

This change is included in git versions >=2.30.3, >=2.31.2, >=2.34.2,
>=2.35.2 + >=2.36.0-rc2, and therefore also affects the Git package
v2.35.2-1 as present in current Debian/unstable (as of 2022-04-16).

Because of that libtcap-abi-check-docker fails for us with:

| fatal: detected dubious ownership in repository at '/code'
| To add an exception for this directory, call:
|
|       git config --global --add safe.directory /code

Running `git config --add safe.directory ...` as implemented in
jenkins-config's git rev 77040321 won't work though, as the resulting
.git/config won't be considered for security issues, so the `--global`
switch is essential and needs to be used as reported by the error
message mentioned above.

Now what was more tricky and required some more debugging:

We pass the environment of the Jenkins job down to the docker
environment (via --env-file=...), but we're running the docker container
with root user. Therefore the ~/.gitconfig inside the docker environment
is expected to be located at /var/lib/jenkins/, while we could only
prepare the one at /root/.gitconfig (without hardcoding jenkins UID etc
upfront in the docker image, which is clearly an approach to avoid).

So when we're running testrunner inside a docker environment and we are
running as user root, let's make sure to set $HOME to /root as one might
expect. Then the ~/.gitconfig with the safe.directory can be found as
expected.

Change-Id: I81b7764945f80cfb415779c2bc8bcf1fcd339b40
(cherry picked from commit 52e3b66)
(cherry picked from commit 3956c7f)
  • Loading branch information
@mika @linuxmaniac
mika authored and linuxmaniac committed Jul 26, 2023
1 parent 7bb1f2e commit 234ee4d
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
4 changes: 3 additions & 1 deletion t/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ FROM docker.mgm.sipwise.com/sipwise-bullseye:latest
# is updated with the current date. It will force refresh of all
# of the base images and things like `apt-get update` won't be using
# old cached versions when the Dockerfile is built.
ENV REFRESHED_AT 2021-05-03
ENV REFRESHED_AT 2023-03-24

RUN apt-get update && \
apt-get install --assume-yes \
Expand All @@ -17,6 +17,8 @@ RUN apt-get update && \

RUN echo './t/testrunner' >>/root/.bash_history

RUN git config --global --add safe.directory /code

WORKDIR /code/

################################################################################
Expand Down
10 changes: 10 additions & 0 deletions t/testrunner
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,16 @@ if [ -z "${branch:-}" ] ; then
branch="none"
fi

# only run inside docker environments as root user
if [ -f /.dockerenv ] && [[ "$(id -u)" == "0" ]] ; then
# the environment passed to docker might claim to have
# /var/lib/jenkins for $HOME, but we might be running
# under user root, so ensure the ~/.gitconfig can be found
# at the appropriate place
echo "Fixing HOME for user root (changing from '${HOME}' to '/root')"
export HOME=/root/
fi

if [[ "${release}" =~ ^release-mr ]] ; then
echo "release detected"
short_release=${release%%-update}
Expand Down

0 comments on commit 234ee4d

Please sign in to comment.