kolla

  1. Bug #1969096
  2. Comment #8

Comment 8 for bug 1969096

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/837806
Committed: https://opendev.org/openstack/kolla/commit/1822dcc0dc71680763d54cfeba09b5579a93a02e
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 1822dcc0dc71680763d54cfeba09b5579a93a02e
Author: Marcin Juszkiewicz <email address hidden>
Date: Wed Apr 13 20:19:38 2022 +0200

    Fix image builds with sources using a type=git

    A recent change to git [1] introduced a new behaviour to work around a
    CVE [2] that disallows any git operations in directories not owned by
    the current user.

    This may seem unrelated to installation, but it plays havoc with PBR,
    which calls out to git to get to get revision history. So if you are
    "pip install"-ing from a source tree you don't own, the PBR git calls
    in that tree now fail and the install blows up.

    When using type=source, kolla clones the repository, then creates a
    tarball from it, which is ADDed to the image. The ownership of the files
    in the tarball is preserved, which in this case will be the user running
    kolla-build. Since the Docker build runs as root, we hit the PBR issue.

    Our solution is to make sure that any tarball we generate from git
    sources have all files owned by root:root so that the root user is able
    to use git commands when building container images.

    [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
    [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.

    Closes-Bug: #1969096
    Related-Bug: #1968877

    Co-Authored-By: Mark Goddard <email address hidden>
    Change-Id: I2cbf1f539880d512aa223c3ef3a4b19ee18854ac
    (cherry picked from commit c4fda7baa3ffc36b555c32a34a00042b6035b917)