kolla

Images with git sources fail to build with git 2.35.2

Bug #1969096 reported by Mark Goddard
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Fix Released
Critical
Unassigned

Bug Description

Images that have a source with type=git are currently failing to build. By default, this includes the gnocchi-base image.

INFO:kolla.common.utils.gnocchi-base:Step 6/9 : RUN ln -s gnocchi-base-source/* gnocchi && SETUPTOOLS_USE_DISTUTILS=stdlib python3 -m pip --no-cache-dir install --upgrade -c /requirements/upper-constraints.txt gnocchiclient /gnocchi[keystone,mysql,file,ceph,s3] && mkdir -p /etc/gnocchi && chown -R gnocchi: /etc/gnocchi
INFO:kolla.common.utils.gnocchi-base: ---> Running in d6b2a86e3d65
INFO:kolla.common.utils.gnocchi-base:Looking in indexes: http://mirror.iad3.inmotion.opendev.org:8080/pypi/simple, https://mirror.iad3.inmotion.opendev.org/wheel/ubuntu-20.04-x86_64
INFO:kolla.common.utils.gnocchi-base:Processing /gnocchi
INFO:kolla.common.utils.gnocchi-base: Preparing metadata (setup.py): started
INFO:kolla.common.utils.gnocchi-base: Preparing metadata (setup.py): finished with status 'error'
INFO:kolla.common.utils.gnocchi-base: error: subprocess-exited-with-error
INFO:kolla.common.utils.gnocchi-base:
INFO:kolla.common.utils.gnocchi-base: × python setup.py egg_info did not run successfully.
INFO:kolla.common.utils.gnocchi-base: │ exit code: 1
INFO:kolla.common.utils.gnocchi-base: ╰─> [30 lines of output]
INFO:kolla.common.utils.gnocchi-base: /var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/installer.py:27: SetuptoolsDeprecationWarning: setuptools.installer is deprecated. Requirements should be satisfied by a PEP 517 installer.
INFO:kolla.common.utils.gnocchi-base: warnings.warn(
INFO:kolla.common.utils.gnocchi-base: Traceback (most recent call last):
INFO:kolla.common.utils.gnocchi-base: File "<string>", line 2, in <module>
INFO:kolla.common.utils.gnocchi-base: File "<pip-setuptools-caller>", line 34, in <module>
INFO:kolla.common.utils.gnocchi-base: File "/gnocchi/setup.py", line 34, in <module>
INFO:kolla.common.utils.gnocchi-base: setuptools.setup(
INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/__init__.py", line 155, in setup
INFO:kolla.common.utils.gnocchi-base: return distutils.core.setup(**attrs)
INFO:kolla.common.utils.gnocchi-base: File "/usr/lib/python3.8/distutils/core.py", line 108, in setup
INFO:kolla.common.utils.gnocchi-base: _setup_distribution = dist = klass(attrs)
INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 458, in __init__
INFO:kolla.common.utils.gnocchi-base: _Distribution.__init__(
INFO:kolla.common.utils.gnocchi-base: File "/usr/lib/python3.8/distutils/dist.py", line 292, in __init__
INFO:kolla.common.utils.gnocchi-base: self.finalize_options()
INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 851, in finalize_options
INFO:kolla.common.utils.gnocchi-base: ep(self)
INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 872, in _finalize_setup_keywords
INFO:kolla.common.utils.gnocchi-base: ep.load()(self, ep.name, value)
INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/integration.py", line 75, in version_keyword
INFO:kolla.common.utils.gnocchi-base: _assign_version(dist, config)
INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/integration.py", line 51, in _assign_version
INFO:kolla.common.utils.gnocchi-base: _version_missing(config)
INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/__init__.py", line 106, in _version_missing
INFO:kolla.common.utils.gnocchi-base: raise LookupError(
INFO:kolla.common.utils.gnocchi-base: LookupError: setuptools-scm was unable to detect version for /gnocchi-base-source/gnocchi-base-archive-4.4.1.
INFO:kolla.common.utils.gnocchi-base:
INFO:kolla.common.utils.gnocchi-base: Make sure you're either building from a fully intact git repository or PyPI tarballs. Most other sources (such as GitHub's tarballs, a git checkout without the .git folder) don't contain the necessary metadata and will not work.
INFO:kolla.common.utils.gnocchi-base:
INFO:kolla.common.utils.gnocchi-base: For example, if you're using pip, instead of https://github.com/user/proj/archive/master.zip use git+https://github.com/user/proj.git#egg=proj
INFO:kolla.common.utils.gnocchi-base: [end of output]
INFO:kolla.common.utils.gnocchi-base:
INFO:kolla.common.utils.gnocchi-base: note: This error originates from a subprocess, and is likely not a problem with pip.
INFO:kolla.common.utils.gnocchi-base:
INFO:kolla.common.utils.gnocchi-base:error: metadata-generation-failed
INFO:kolla.common.utils.gnocchi-base:× Encountered error while generating package metadata.
INFO:kolla.common.utils.gnocchi-base:╰─> See above for output.
INFO:kolla.common.utils.gnocchi-base:note: This is an issue with the package mentioned above, not pip.
INFO:kolla.common.utils.gnocchi-base:hint: See above for details.

This is currently affecting Ubuntu builds, which presumably include a backport of the git fix for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.

This happens because kolla clones the git repository, then creates a tarball from it, preserving the ownership of the user running kolla-build on the files in the tarball. When we ADD this tarball into the image, Docker extracts it and preserves ownership of the files. The build runs as the root user, which typically is different than the user running kolla-build. Hence we hit CVE-2022-24765.

Related PBR bug: https://bugs.launchpad.net/pbr/+bug/1968877

See original description

CVE References

Mark Goddard (mgoddard)
description: updated
Changed in kolla:
importance: Undecided → Critical
status: New → Triaged
OpenStack Infra (hudson-openstack)
Changed in kolla:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (master)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/837710
Committed: https://opendev.org/openstack/kolla/commit/c4fda7baa3ffc36b555c32a34a00042b6035b917
Submitter: "Zuul (22348)"
Branch: master

commit c4fda7baa3ffc36b555c32a34a00042b6035b917
Author: Marcin Juszkiewicz <email address hidden>
Date: Wed Apr 13 20:19:38 2022 +0200

    Fix image builds with sources using a type=git

    A recent change to git [1] introduced a new behaviour to work around a
    CVE [2] that disallows any git operations in directories not owned by
    the current user.

    This may seem unrelated to installation, but it plays havoc with PBR,
    which calls out to git to get to get revision history. So if you are
    "pip install"-ing from a source tree you don't own, the PBR git calls
    in that tree now fail and the install blows up.

    When using type=source, kolla clones the repository, then creates a
    tarball from it, which is ADDed to the image. The ownership of the files
    in the tarball is preserved, which in this case will be the user running
    kolla-build. Since the Docker build runs as root, we hit the PBR issue.

    Our solution is to make sure that any tarball we generate from git
    sources have all files owned by root:root so that the root user is able
    to use git commands when building container images.

    [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
    [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.

    Closes-Bug: #1969096
    Related-Bug: #1968877

    Co-Authored-By: Mark Goddard <email address hidden>
    Change-Id: I2cbf1f539880d512aa223c3ef3a4b19ee18854ac

Changed in kolla:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/kolla/+/837806

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/kolla/+/837807

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/kolla/+/837809

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kolla/+/837910

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/837809
Committed: https://opendev.org/openstack/kolla/commit/7fb3ecb1873f73847f72f9b645ee99a554baba7b
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 7fb3ecb1873f73847f72f9b645ee99a554baba7b
Author: Marcin Juszkiewicz <email address hidden>
Date: Wed Apr 13 20:19:38 2022 +0200

    Fix image builds with sources using a type=git

    A recent change to git [1] introduced a new behaviour to work around a
    CVE [2] that disallows any git operations in directories not owned by
    the current user.

    This may seem unrelated to installation, but it plays havoc with PBR,
    which calls out to git to get to get revision history. So if you are
    "pip install"-ing from a source tree you don't own, the PBR git calls
    in that tree now fail and the install blows up.

    When using type=source, kolla clones the repository, then creates a
    tarball from it, which is ADDed to the image. The ownership of the files
    in the tarball is preserved, which in this case will be the user running
    kolla-build. Since the Docker build runs as root, we hit the PBR issue.

    Our solution is to make sure that any tarball we generate from git
    sources have all files owned by root:root so that the root user is able
    to use git commands when building container images.

    [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
    [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.

    Closes-Bug: #1969096
    Related-Bug: #1968877

    Co-Authored-By: Mark Goddard <email address hidden>
    Change-Id: I2cbf1f539880d512aa223c3ef3a4b19ee18854ac
    (cherry picked from commit c4fda7baa3ffc36b555c32a34a00042b6035b917)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/837807
Committed: https://opendev.org/openstack/kolla/commit/6b88dc0f09cab3b3a439b2ba6c5c38bf1f8b720d
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 6b88dc0f09cab3b3a439b2ba6c5c38bf1f8b720d
Author: Marcin Juszkiewicz <email address hidden>
Date: Wed Apr 13 20:19:38 2022 +0200

    Fix image builds with sources using a type=git

    A recent change to git [1] introduced a new behaviour to work around a
    CVE [2] that disallows any git operations in directories not owned by
    the current user.

    This may seem unrelated to installation, but it plays havoc with PBR,
    which calls out to git to get to get revision history. So if you are
    "pip install"-ing from a source tree you don't own, the PBR git calls
    in that tree now fail and the install blows up.

    When using type=source, kolla clones the repository, then creates a
    tarball from it, which is ADDed to the image. The ownership of the files
    in the tarball is preserved, which in this case will be the user running
    kolla-build. Since the Docker build runs as root, we hit the PBR issue.

    Our solution is to make sure that any tarball we generate from git
    sources have all files owned by root:root so that the root user is able
    to use git commands when building container images.

    [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
    [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.

    Closes-Bug: #1969096
    Related-Bug: #1968877

    Co-Authored-By: Mark Goddard <email address hidden>
    Change-Id: I2cbf1f539880d512aa223c3ef3a4b19ee18854ac
    (cherry picked from commit c4fda7baa3ffc36b555c32a34a00042b6035b917)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/837806
Committed: https://opendev.org/openstack/kolla/commit/1822dcc0dc71680763d54cfeba09b5579a93a02e
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 1822dcc0dc71680763d54cfeba09b5579a93a02e
Author: Marcin Juszkiewicz <email address hidden>
Date: Wed Apr 13 20:19:38 2022 +0200

    Fix image builds with sources using a type=git

    A recent change to git [1] introduced a new behaviour to work around a
    CVE [2] that disallows any git operations in directories not owned by
    the current user.

    This may seem unrelated to installation, but it plays havoc with PBR,
    which calls out to git to get to get revision history. So if you are
    "pip install"-ing from a source tree you don't own, the PBR git calls
    in that tree now fail and the install blows up.

    When using type=source, kolla clones the repository, then creates a
    tarball from it, which is ADDed to the image. The ownership of the files
    in the tarball is preserved, which in this case will be the user running
    kolla-build. Since the Docker build runs as root, we hit the PBR issue.

    Our solution is to make sure that any tarball we generate from git
    sources have all files owned by root:root so that the root user is able
    to use git commands when building container images.

    [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
    [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.

    Closes-Bug: #1969096
    Related-Bug: #1968877

    Co-Authored-By: Mark Goddard <email address hidden>
    Change-Id: I2cbf1f539880d512aa223c3ef3a4b19ee18854ac
    (cherry picked from commit c4fda7baa3ffc36b555c32a34a00042b6035b917)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla (stable/victoria)

Change abandoned by "Radosław Piliszek <email address hidden>" on branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kolla/+/837910
Reason: squashed into https://review.opendev.org/c/openstack/kolla/+/836591

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 14.0.0.0rc2

This issue was fixed in the openstack/kolla 14.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 12.2.0

This issue was fixed in the openstack/kolla 12.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 13.1.0

This issue was fixed in the openstack/kolla 13.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/kolla/+/846562

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/kolla/+/846563

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla (stable/victoria)

Change abandoned by "Radosław Piliszek <email address hidden>" on branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kolla/+/837910
Reason: yeah, we forgot to abandon

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla (stable/ussuri)

Change abandoned by "Radosław Piliszek <email address hidden>" on branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/kolla/+/846562

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla (stable/train)

Change abandoned by "Radosław Piliszek <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/kolla/+/846563
Reason: train is going eol

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/kolla/+/865421

Revision history for this message
Jakub Neumann (yavvi) wrote :
Download full text (4.3 KiB)

The bug is still going on in stable/yoga with custom plugins:

INFO:kolla.common.utils.neutron-server: error: subprocess-exited-with-error
INFO:kolla.common.utils.neutron-server:
INFO:kolla.common.utils.neutron-server: × python setup.py egg_info did not run successfully.
INFO:kolla.common.utils.neutron-server: │ exit code: 1
INFO:kolla.common.utils.neutron-server: ╰─> [22 lines of output]
INFO:kolla.common.utils.neutron-server: /var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py:738: UserWarning: Usage of dash-separated 'description-file' will not be supported in future versions. Please use the underscore name 'description_file' instead
INFO:kolla.common.utils.neutron-server: warnings.warn(
INFO:kolla.common.utils.neutron-server: /var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py:738: UserWarning: Usage of dash-separated 'author-email' will not be supported in future versions. Please use the underscore name 'author_email' instead
INFO:kolla.common.utils.neutron-server: warnings.warn(
INFO:kolla.common.utils.neutron-server: /var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py:738: UserWarning: Usage of dash-separated 'home-page' will not be supported in future versions. Please use the underscore name 'home_page' instead
INFO:kolla.common.utils.neutron-server: warnings.warn(
INFO:kolla.common.utils.neutron-server: Error parsing
INFO:kolla.common.utils.neutron-server: Traceback (most recent call last):
INFO:kolla.common.utils.neutron-server: File "/var/lib/kolla/venv/lib/python3.8/site-packages/pbr/core.py", line 111, in pbr
INFO:kolla.common.utils.neutron-server: attrs = util.cfg_to_args(path, dist.script_args)
INFO:kolla.common.utils.neutron-server: File "/var/lib/kolla/venv/lib/python3.8/site-packages/pbr/util.py", line 272, in cfg_to_args
INFO:kolla.common.utils.neutron-server: pbr.hooks.setup_hook(config)
INFO:kolla.common.utils.neutron-server: File "/var/lib/kolla/venv/lib/python3.8/site-packages/pbr/hooks/__init__.py", line 25, in setup_hook
INFO:kolla.common.utils.neutron-server: metadata_config.run()
INFO:kolla.common.utils.neutron-server: File "/var/lib/kolla/venv/lib/python3.8/site-packages/pbr/hooks/base.py", line 27, in run
INFO:kolla.common.utils.neutron-server: self.hook()
INFO:kolla.common.utils.neutron-server: File "/var/lib/kolla/venv/lib/python3.8/site-packages/pbr/hooks/metadata.py", line 25, in hook
INFO:kolla.common.utils.neutron-server: self.config['version'] = packaging.get_version(
INFO:kolla.common.utils.neutron-server: File "/var/lib/kolla/venv/lib/python3.8/site-packages/pbr/packaging.py", line 872, in get_version
INFO:kolla.common.utils.neutron-server: raise Exception("Versioning for this project requires either an sdist"
INFO:kolla.common.utils.neutron-server: Exception: Versioning for this project requires either an sdist tarball, or access to an upstream git repository. It's also possible that there is a mismatch between the package name in setup.cfg and the argument given to pbr.version.VersionInfo. Project name audit-...

Read more...

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla/+/865516

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (master)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/865516
Committed: https://opendev.org/openstack/kolla/commit/6be0068f376b0ae67bc81b50a97e042a88317d28
Submitter: "Zuul (22348)"
Branch: master

commit 6be0068f376b0ae67bc81b50a97e042a88317d28
Author: Jakub Neumann <email address hidden>
Date: Thu Nov 24 10:29:47 2022 +0100

    Fix plugin builds with sources using type=git

    A recent change to git [1] introduced a new behaviour to work around a
    CVE [2] that disallows any git operations in directories not owned by
    the current user.

    A fix was introduced for general checkouts, but it was not applied
    to the plugins archive, resulting in PBR still not working as intended.

    [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
    [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.

    Closes-Bug: #1969096
    Related-Bug: #1968877

    Co-Authored-By: Mark Goddard <email address hidden>
    Co-Authored-By: Marcin Juszkiewicz <email address hidden>

    Signed-off-by: Jakub Neumann <email address hidden>
    Change-Id: Ib3a37eebb29d975fc51a117cecdff74baafd8941

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/kolla/+/866228

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/kolla/+/866229

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/kolla/+/866230

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/866228
Committed: https://opendev.org/openstack/kolla/commit/6ba7df36182e709f154e8ec7a482464d054e99f6
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 6ba7df36182e709f154e8ec7a482464d054e99f6
Author: Jakub Neumann <email address hidden>
Date: Thu Nov 24 10:29:47 2022 +0100

    Fix plugin builds with sources using type=git

    A recent change to git [1] introduced a new behaviour to work around a
    CVE [2] that disallows any git operations in directories not owned by
    the current user.

    A fix was introduced for general checkouts, but it was not applied
    to the plugins archive, resulting in PBR still not working as intended.

    Fixed conflict added in I093620679016b37e1664c9fe4cf7559433e744b7.

    [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
    [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.

    Closes-Bug: #1969096
    Related-Bug: #1968877

    Co-Authored-By: Mark Goddard <email address hidden>
    Co-Authored-By: Marcin Juszkiewicz <email address hidden>

    Signed-off-by: Jakub Neumann <email address hidden>
    Change-Id: Ib3a37eebb29d975fc51a117cecdff74baafd8941
    (cherry picked from commit 6be0068f376b0ae67bc81b50a97e042a88317d28)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/866229
Committed: https://opendev.org/openstack/kolla/commit/2b222ce035a5be5ec037314fc838025ae4fe5d30
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 2b222ce035a5be5ec037314fc838025ae4fe5d30
Author: Jakub Neumann <email address hidden>
Date: Thu Nov 24 10:29:47 2022 +0100

    Fix plugin builds with sources using type=git

    A recent change to git [1] introduced a new behaviour to work around a
    CVE [2] that disallows any git operations in directories not owned by
    the current user.

    A fix was introduced for general checkouts, but it was not applied
    to the plugins archive, resulting in PBR still not working as intended.

    Fixed conflict added in I093620679016b37e1664c9fe4cf7559433e744b7.

    [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
    [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.

    Closes-Bug: #1969096
    Related-Bug: #1968877

    Co-Authored-By: Mark Goddard <email address hidden>
    Co-Authored-By: Marcin Juszkiewicz <email address hidden>

    Signed-off-by: Jakub Neumann <email address hidden>
    Change-Id: Ib3a37eebb29d975fc51a117cecdff74baafd8941
    (cherry picked from commit 6be0068f376b0ae67bc81b50a97e042a88317d28)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/866230
Committed: https://opendev.org/openstack/kolla/commit/e8c92dfa1404a647587d948f6c73091005bfbc2a
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit e8c92dfa1404a647587d948f6c73091005bfbc2a
Author: Jakub Neumann <email address hidden>
Date: Thu Nov 24 10:29:47 2022 +0100

    Fix plugin builds with sources using type=git

    A recent change to git [1] introduced a new behaviour to work around a
    CVE [2] that disallows any git operations in directories not owned by
    the current user.

    A fix was introduced for general checkouts, but it was not applied
    to the plugins archive, resulting in PBR still not working as intended.

    Fixed conflict added in I093620679016b37e1664c9fe4cf7559433e744b7.

    [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
    [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.

    Closes-Bug: #1969096
    Related-Bug: #1968877

    Co-Authored-By: Mark Goddard <email address hidden>
    Co-Authored-By: Marcin Juszkiewicz <email address hidden>

    Signed-off-by: Jakub Neumann <email address hidden>
    Change-Id: Ib3a37eebb29d975fc51a117cecdff74baafd8941
    (cherry picked from commit 6be0068f376b0ae67bc81b50a97e042a88317d28)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla (stable/yoga)

Change abandoned by "Marcin Juszkiewicz <email address hidden>" on branch: stable/yoga
Review: https://review.opendev.org/c/openstack/kolla/+/865421
Reason: already merged: https://review.opendev.org/c/openstack/kolla/+/866228

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 15.0.0.0rc1

This issue was fixed in the openstack/kolla 15.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 13.8.0

This issue was fixed in the openstack/kolla 13.8.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 14.8.0

This issue was fixed in the openstack/kolla 14.8.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla wallaby-eol

This issue was fixed in the openstack/kolla wallaby-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.