Closed michaeljmarshall closed 2 years ago
Here's the root issue:
fatal: unsafe repository ('/workdir' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /workdir
Figuring out how to mitigate that now.
Relevant output from the tests:
/:
total 76
drwxr-xr-x 1 root root 4096 May 31 23:31 .
drwxr-xr-x 1 root root 4096 May 31 23:31 ..
-rwxr-xr-x 1 root root 0 May 31 23:30 .dockerenv
-rw-r--r-- 1 root root 2575 May 27 13:00 7.77.0-r0
drwxr-xr-x 1 root root 4096 May 27 13:00 bin
drwxr-xr-x 5 root root 340 May 31 23:30 dev
drwxr-xr-x 1 root root 4096 May 31 23:30 etc
drwxr-xr-x 2 root root 4096 Apr 4 16:06 home
drwxr-xr-x 1 root root 4096 May 27 13:00 lib
drwxr-xr-x 2 root root 4096 May 27 13:00 lib64
drwxr-xr-x 5 root root 4096 Apr 4 16:06 media
drwxr-xr-x 2 root root 4096 Apr 4 16:06 mnt
drwxr-xr-x 2 root root 4096 Apr 4 16:06 opt
dr-xr-xr-x 225 root root 0 May 31 23:30 proc
drwx------ 1 root root 4096 May 31 23:31 root
drwxr-xr-x 2 root root 4096 Apr 4 16:06 run
drwxr-xr-x 2 root root 4096 Apr 4 16:06 sbin
drwxr-xr-x 2 root root 4096 Apr 4 16:06 srv
dr-xr-xr-x 13 root root 0 May 31 23:22 sys
drwxrwxrwt 2 root root 4096 Apr 4 16:06 tmp
drwxr-xr-x 1 root root 4096 May 27 13:00 usr
drwxr-xr-x 1 root root 4096 May 27 13:00 var
drwxrwxr-x 8 1000 1000 4096 May 31 23:30 workdir
/workdir:
total 128
drwxrwxr-x 8 1000 1000 4096 May 31 23:30 .
drwxr-xr-x 1 root root 4096 May 31 23:31 ..
drwxrwxr-x 2 1000 1000 4096 May 31 23:30 .circleci
drwxrwxr-x 8 1000 1000 4096 May 31 23:30 .git
-rw-rw-r-- 1 1000 1000 294 May 31 23:30 .gitignore
-rw-rw-r-- 1 1000 1000 564 May 31 23:30 .yamllint.yaml
-rw-rw-r-- 1 1000 1000 11346 May 31 23:30 LICENSE
-rw-rw-r-- 1 1000 1000 30075 May 31 23:30 README.md
-rw-rw-r-- 1 1000 1000 3327 May 31 23:30 RELEASE.md
drwxrwxr-x 2 1000 1000 4096 May 31 23:30 assets
-rw-rw-r-- 1 1000 1000 4753 May 31 23:30 aws-customer-docs.md
drwxrwxr-x 3 1000 1000 4096 May 31 23:30 examples
drwxrwxr-x 3 1000 1000 4096 May 31 23:30 helm-chart-sources
-rw-rw-r-- 1 1000 1000 29127 May 31 23:30 index.yaml
drwxrwxr-x 2 1000 1000 4096 May 31 23:30 tests
/workdir
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
v3.9.0+g7ceeda6
fatal: unsafe repository ('/workdir' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /workdir
Removing ct container...
Done!
Exited with code exit status 128
CircleCI received exit code 128
The docker image is running as root, but the git repo is owned by uid 1000
.
It's also possible to make this generic. instead of hard coding to 1000 , unix shells usually contain $UID
environment variable for the numeric user id. (id -u
also returns the UID)
Motivation
Builds started failing recently with a message
Error: Error installing charts: Error identifying charts to process: Must be in a git repository
. Based on some quick searching, it looks like the root cause is related to a git version bump that simultaneously resolves CVE-2022-24765 and breaks our build.Solution
I chose to use the same UID for both creating the git repo and modifying it. The checkout command uses UID 1000, so the ct docker image must also use that UID.
Rejected Alternative
I could have followed git's advice:
However, I opted to use the same UID since that also gets us a non-root test container.