search

kubernetes / git-sync

A sidecar app which clones a git repo and keeps it in sync with the upstream.
Apache License 2.0
2.16k stars 409 forks source link

v3 -> v4 exechook-command permission error #807

Closed mimseong closed 9 months ago

mimseong commented 10 months ago

Hello.

I'm in the process of raising my version from 3 to 4 and have noticed a permission error. Everything else works fine, but when I run shell script with exechook-command it says permission denied. I thought group-write would work like change-permissions=0744. So I'm wondering if there's bug or I'm mis-using git-sync.

error log

{"logger":"exechook","ts":"2023-09-18 10:11:31.178881","caller":{"file":"exechook.go","line":72},"level":5,"msg":"running command","cwd":"/tmp/git/.worktrees/34318f5cdfbfbb9213c5eddc14ce7798a9736c9d","cmd":"./hello.sh "}
{"logger":"exechook","ts":"2023-09-18 10:11:31.181389","caller":{"file":"hook.go","line":143},"msg":"hook failed","error":"Run(./hello.sh ): fork/exec ./hello.sh: permission denied: { stdout: \"\", stderr: \"\" }","hash":"34318f5cdfbfbb9213c5eddc14ce7798a9736c9d","retry":"3s"}

v3.3.4, This works well.

docker run \
    -v $DIR:/tmp/git \
    k8s.gcr.io/git-sync/git-sync:v3.3.4 \
        --repo=https://github.com/mimseong/test-git-sync \
        --branch=develop \
        --root=/tmp/git \
        --dest=root \
        --wait=10 \
        -v=6 \
        --change-permissions=0744 \
        --sync-hook-command=./hello.sh

v4.0.0, This isn't working

docker run \
    -v $DIR:/tmp/git \
    registry.k8s.io/git-sync/git-sync:v4.0.0 \
        --repo=https://github.com/mimseong/test-git-sync \
        --ref=develop \
        --root=/tmp/git \
        --link=root \
        --period=10s \
        --verbose=6 \
        --group-write \
        --exechook-command=./hello.sh
thockin commented 10 months ago

First, thank you for a complete repro, including a public repo.

This does seem to be a use-case that is not covered by --group-write that your use of --change-permissions allowed. In the repo, the hello.sh script is not executable. Setting --change-permissions to 0744 is unusual because it sets the u+x bit but no other x bits. So the script became executable. This is different from how most people tried to use that flag (which was to change group permissions - hence it became --group-write).

https://github.com/kubernetes/git-sync/pull/738

So the question then is how best to fix this. The easiest and most correct fix would be for you to make the file executable and for me to document this as a change. I suspect there's not a lot of people doing this. The more comprehensive fix would be to bring back some form of change-permissions flag. I didn' much like that old flag because it was too broad, but it did cover this specific case.

I'm leaning towards "please change your repo", but would like ot hear counter-arguments. I'll have a think about how to expose this.

mimseong commented 10 months ago

Thank you for letting me know. I want to include the code and shell script in the repository, and perform post-processing with a shell script after syncing with the repository. It seems like '--group-write' won't work for this use case, so I'll explore other methods.

thockin commented 10 months ago

Fundamentally you are trying to execute a file (your script) which is not executable. You can make it executable and check it in. Then git-sync should work.

thockin commented 9 months ago

Did this solution work for you?

mimseong commented 9 months ago

Thanks a lot! I've converted it to 'hello.out' as an executable, and it works well. Now I'll update it to version 4. 👍