Fix git --add safe.directory command in Dockerfile #996
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Upgrading kamal from `v1.8.3` to `v1.9.0` broke my [kamal playground](https://labs.iximiuz.com/playgrounds/kamal): ``` laborant@dev-machine:~/svc-a$ kamal setup INFO [34d0def6] Running /usr/bin/env mkdir -p .kamal on 172.16.0.3 INFO [c34cf833] Running /usr/bin/env mkdir -p .kamal on 172.16.0.4 INFO [34d0def6] Finished in 0.147 seconds with exit status 0 (successful). INFO [c34cf833] Finished in 0.204 seconds with exit status 0 (successful). Acquiring the deploy lock... Ensure Docker is installed... INFO [413ee426] Running docker -v on 172.16.0.4 INFO [f1acacba] Running docker -v on 172.16.0.3 INFO [413ee426] Finished in 0.036 seconds with exit status 0 (successful). INFO [f1acacba] Finished in 0.076 seconds with exit status 0 (successful). Log into image registry... INFO [94cff492] Running docker login registry.iximiuz.com -u [REDACTED] -p [REDACTED] on localhost INFO [94cff492] Finished in 0.077 seconds with exit status 0 (successful). INFO [605c535f] Running docker login registry.iximiuz.com -u [REDACTED] -p [REDACTED] on 172.16.0.4 INFO [6002b598] Running docker login registry.iximiuz.com -u [REDACTED] -p [REDACTED] on 172.16.0.3 INFO [605c535f] Finished in 0.083 seconds with exit status 0 (successful). INFO [6002b598] Finished in 0.083 seconds with exit status 0 (successful). Build and push app image... INFO [9d172b1e] Running docker --version && docker buildx version on localhost INFO [9d172b1e] Finished in 0.059 seconds with exit status 0 (successful). INFO Cloning repo into build directory `/tmp/kamal-clones/svc-a-2f65914456263/workdir/`... INFO [26fb1bd3] Running /usr/bin/env git -C /tmp/kamal-clones/svc-a-2f65914456263 clone /workdir --recurse-submodules on localhost ERROR Error preparing clone: Failed to clone repo: git exit status: 32768 git stdout: Nothing written git stderr: Cloning into 'workdir'... fatal: detected dubious ownership in repository at '/workdir/.git' To add an exception for this directory, call: git config --global --add safe.directory /workdir/.git fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. , deleting and retrying... INFO Cloning repo into build directory `/tmp/kamal-clones/svc-a-2f65914456263/workdir/`... INFO [fd4aac0c] Running /usr/bin/env git -C /tmp/kamal-clones/svc-a-2f65914456263 clone /workdir --recurse-submodules on localhost Finished all in 0.3 seconds Releasing the deploy lock... Finished all in 0.6 seconds ERROR (SSHKit::Command::Failed): git exit status: 32768 git stdout: Nothing written git stderr: Cloning into 'workdir'... fatal: detected dubious ownership in repository at '/workdir/.git' To add an exception for this directory, call: git config --global --add safe.directory /workdir/.git fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. laborant@dev-machine:~/svc-a$ kamal version 2.0.0 ``` I checked the [v1.8.3...v1.9.0](basecamp/kamal@v1.8.3...v1.9.0) diff, and couldn't find anything even remotely related to the above error. Then I checked the `git` versions in kamal `v1.8.3` and `v1.9.0` images: ``` docker run -it --rm --entrypoint sh ghcr.io/basecamp/kamal:v1.8.3 /workdir # git --version git version 2.38.5 ``` vs. ``` docker run -it --rm --entrypoint sh ghcr.io/basecamp/kamal:v2.0.0 /workdir # git --version git version 2.39.5 ``` Apparently, something changed in between `2.38.5` and `2.39.5` git releases (likely yet another CVE fix), and the `git config --global --add safe.directory /workdir` stopped working. Here is the mitigation I currently use, but it's a bit awkward to do it: ``` docker build -t ghcr.io/basecamp/kamal:v2.0.0 - <<EOF FROM ghcr.io/basecamp/kamal:v2.0.0 RUN git config --global --add safe.directory /workdir/.git EOF ``` Hence, this PR. To repro, you can start a [kamal playground](https://labs.iximiuz.com/playgrounds/kamal), then `docker pull ghcr.io/basecamp/kamal:v2.0.0` to override my patched image, and `cd svc-a && kamal setup`.
jeremy
reviewed
Sep 28, 2024
There was a problem hiding this comment.
Odd one. The parent directory should certainly work. Curious: are there any other ownership mismatches in the workdir you're mounting vs its .git subdir?
Could sidestep the issue with a blanket opt-out as well, considering we aren't exposed to the vuln this protects against.
Co-authored-by: Jeremy Daer <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Upgrading kamal from
v1.8.3tov1.9.0broke my kamal playground:I checked the v1.8.3...v1.9.0 diff, and couldn't find anything even remotely related to the above error.
Then I checked the
gitversions in kamalv1.8.3andv1.9.0images:vs.
Apparently, something changed in between
2.38.5and2.39.5git releases (likely yet another CVE fix), and thegit config --global --add safe.directory /workdirstopped working.Here is the mitigation I currently use, but it's a bit awkward to do it:
Hence, this PR.
To repro, you can start a kamal playground, then
docker pull ghcr.io/basecamp/kamal:v2.0.0to override my patched image, andcd svc-a && kamal setup.