Images that have a source with type=git are currently failing to build. By default, this includes the gnocchi-base image.
INFO:kolla.common.utils.gnocchi-base:Step 6/9 : RUN ln -s gnocchi-base-source/* gnocchi && SETUPTOOLS_USE_DISTUTILS=stdlib python3 -m pip --no-cache-dir install --upgrade -c /requirements/upper-constraints.txt gnocchiclient /gnocchi[keystone,mysql,file,ceph,s3] && mkdir -p /etc/gnocchi && chown -R gnocchi: /etc/gnocchi
INFO:kolla.common.utils.gnocchi-base: ---> Running in d6b2a86e3d65
INFO:kolla.common.utils.gnocchi-base:Looking in indexes: http://mirror.iad3.inmotion.opendev.org:8080/pypi/simple, https://mirror.iad3.inmotion.opendev.org/wheel/ubuntu-20.04-x86_64
INFO:kolla.common.utils.gnocchi-base:Processing /gnocchi
INFO:kolla.common.utils.gnocchi-base: Preparing metadata (setup.py): started
INFO:kolla.common.utils.gnocchi-base: Preparing metadata (setup.py): finished with status 'error'
INFO:kolla.common.utils.gnocchi-base:[91m error: subprocess-exited-with-error
INFO:kolla.common.utils.gnocchi-base:
INFO:kolla.common.utils.gnocchi-base: × python setup.py egg_info did not run successfully.
INFO:kolla.common.utils.gnocchi-base: │ exit code: 1
INFO:kolla.common.utils.gnocchi-base: ╰─> [30 lines of output]
INFO:kolla.common.utils.gnocchi-base: /var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/installer.py:27: SetuptoolsDeprecationWarning: setuptools.installer is deprecated. Requirements should be satisfied by a PEP 517 installer.
INFO:kolla.common.utils.gnocchi-base: warnings.warn(
INFO:kolla.common.utils.gnocchi-base: Traceback (most recent call last):
INFO:kolla.common.utils.gnocchi-base: File "<string>", line 2, in <module>
INFO:kolla.common.utils.gnocchi-base: File "<pip-setuptools-caller>", line 34, in <module>
INFO:kolla.common.utils.gnocchi-base: File "/gnocchi/setup.py", line 34, in <module>
INFO:kolla.common.utils.gnocchi-base: setuptools.setup(
INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/__init__.py", line 155, in setup
INFO:kolla.common.utils.gnocchi-base: return distutils.core.setup(**attrs)
INFO:kolla.common.utils.gnocchi-base: File "/usr/lib/python3.8/distutils/core.py", line 108, in setup
INFO:kolla.common.utils.gnocchi-base: _setup_distribution = dist = klass(attrs)
INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 458, in __init__
INFO:kolla.common.utils.gnocchi-base: _Distribution.__init__(
INFO:kolla.common.utils.gnocchi-base: File "/usr/lib/python3.8/distutils/dist.py", line 292, in __init__
INFO:kolla.common.utils.gnocchi-base: self.finalize_options()
INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 851, in finalize_options
INFO:kolla.common.utils.gnocchi-base: ep(self)
INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 872, in _finalize_setup_keywords
INFO:kolla.common.utils.gnocchi-base: ep.load()(self, ep.name, value)
INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/integration.py", line 75, in version_keyword
INFO:kolla.common.utils.gnocchi-base: _assign_version(dist, config)
INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/integration.py", line 51, in _assign_version
INFO:kolla.common.utils.gnocchi-base: _version_missing(config)
INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/__init__.py", line 106, in _version_missing
INFO:kolla.common.utils.gnocchi-base: raise LookupError(
INFO:kolla.common.utils.gnocchi-base: LookupError: setuptools-scm was unable to detect version for /gnocchi-base-source/gnocchi-base-archive-4.4.1.
INFO:kolla.common.utils.gnocchi-base:
INFO:kolla.common.utils.gnocchi-base: Make sure you're either building from a fully intact git repository or PyPI tarballs. Most other sources (such as GitHub's tarballs, a git checkout without the .git folder) don't contain the necessary metadata and will not work.
INFO:kolla.common.utils.gnocchi-base:
INFO:kolla.common.utils.gnocchi-base: For example, if you're using pip, instead of https://github.com/user/proj/archive/master.zip use git+https://github.com/user/proj.git#egg=proj
INFO:kolla.common.utils.gnocchi-base: [end of output]
INFO:kolla.common.utils.gnocchi-base:
INFO:kolla.common.utils.gnocchi-base: note: This error originates from a subprocess, and is likely not a problem with pip.
INFO:kolla.common.utils.gnocchi-base:[0m
INFO:kolla.common.utils.gnocchi-base:[91merror: metadata-generation-failed
INFO:kolla.common.utils.gnocchi-base:× Encountered error while generating package metadata.
INFO:kolla.common.utils.gnocchi-base:╰─> See above for output.
INFO:kolla.common.utils.gnocchi-base:note: This is an issue with the package mentioned above, not pip.
INFO:kolla.common.utils.gnocchi-base:hint: See above for details.
This is currently affecting Ubuntu builds, which presumably include a backport of the git fix for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.
This happens because kolla clones the git repository, then creates a tarball from it, preserving the ownership of the user running kolla-build on the files in the tarball. When we ADD this tarball into the image, Docker extracts it and preserves ownership of the files. The build runs as the root user, which typically is different than the user running kolla-build. Hence we hit CVE-2022-24765.
Related PBR bug: https://bugs.launchpad.net/pbr/+bug/1968877
Reviewed: https:/ /review. opendev. org/c/openstack /kolla/ +/837710 /opendev. org/openstack/ kolla/commit/ c4fda7baa3ffc36 b555c32a34a0004 2b6035b917
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit c4fda7baa3ffc36 b555c32a34a0004 2b6035b917
Author: Marcin Juszkiewicz <email address hidden>
Date: Wed Apr 13 20:19:38 2022 +0200
Fix image builds with sources using a type=git
A recent change to git [1] introduced a new behaviour to work around a
CVE [2] that disallows any git operations in directories not owned by
the current user.
This may seem unrelated to installation, but it plays havoc with PBR,
which calls out to git to get to get revision history. So if you are
"pip install"-ing from a source tree you don't own, the PBR git calls
in that tree now fail and the install blows up.
When using type=source, kolla clones the repository, then creates a
tarball from it, which is ADDed to the image. The ownership of the files
in the tarball is preserved, which in this case will be the user running
kolla-build. Since the Docker build runs as root, we hit the PBR issue.
Our solution is to make sure that any tarball we generate from git
sources have all files owned by root:root so that the root user is able
to use git commands when building container images.
[1] https:/ /github. com/git/ git/commit/ 8959555cee7ec04 5958f9b6dd62e54 1affb7e7d9 /cve.mitre. org/cgi- bin/cvename. cgi?name= CVE-2022- 24765.
[2] https:/
Closes-Bug: #1969096
Related-Bug: #1968877
Co-Authored-By: Mark Goddard <email address hidden> 12aa223c3ef3a4b 19ee18854ac
Change-Id: I2cbf1f539880d5