StarlingX

build-tools: latest git in debian bullseye causes docker build errors

Bug #2009723 reported by Davlet Panech on 2023-03-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Davlet Panech

Bug Description

Brief Description
-----------------
Debian bullseye recently released an update to the "git" package that in some circumstances doesn't work correctly with repositories created by the "repo" tool. The problematic version is 1:2.30.2-1+deb11u2 .

The docker image build system triggers this bug under some circumstances -- for docker images that attempt to create a mirror of an existing local git repository by setting thew following in the *.docker_image build recipe:

PROJECT_REPO=<path to a local git repo>
MIRROR_LOCAL=yes

Severity
--------
Major

Steps to Reproduce
------------------

1) Enter the "builder" container and upgrade git to latest:

% apt-get update
% apt-get upgrade git

2) Try to clone a local directory:

% git clone $MY_REPO

Expected Behavior
------------------
Git clone succeeds

Actual Behavior
----------------
Git clone fails with a message similar to:

fatal: destination path '/home/dpanech/test_1' already exists and is not an empty directory.

Reproducibility
---------------
Reproducible

System Configuration
--------------------
N/A

Branch/Pull Time/Commit
-----------------------
master/2023-03-07

Last Pass
---------
master/2023-03-03

Timestamp/Logs
--------------
N/A

Test Activity
-------------
N/A

Workaround
----------
Downgrade git:

sudo apt-get install git=1:2.30.2-1

Tags:

CVE References

2023-22490

Davlet Panech (dpanech) on 2023-03-08

summary:

- build-tools: latest git broken in debian bullseye
+ build-tools: latest git in debian bullseye causes docker build errors

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-08: Fix proposed to root (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/root/+/876884

Changed in starlingx:
status:	New → In Progress

Revision history for this message

Davlet Panech (dpanech) wrote on 2023-03-08:

Correction:

Actual Behavior
----------------
Git clone fails with a message similar to:

fatal: failed to start iterator over '[...]/.git/objects': Not a directory

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-08: Fix merged to root (master)

Reviewed: https://review.opendev.org/c/starlingx/root/+/876884
Committed: https://opendev.org/starlingx/root/commit/143cd0b94667ddd33f9fd52bb714b875551e85f8
Submitter: "Zuul (22348)"
Branch: master

commit 143cd0b94667ddd33f9fd52bb714b875551e85f8
Author: Davlet Panech <email address hidden>
Date: Wed Mar 8 12:18:31 2023 -0500

docker-images: avoid git errors for local repos

    A recent update to git [1] causes errors when cloning a local git
    repository whose .git directory contains symlinks, which it does for
    repos managed by the "repo" tool. This is triggered by docker image
    builds that have the following in their recipes:

PROJECT_REPO=/path/to/local/git/repo
MIRROR_LOCAL=yes

Symptoms: "git clone /path/to/local/git/repo" fails with an error
similar to

fatal: failed to start iterator over '[...]/.git/objects': Not a
directory

    Workaround: add "--no-local" when calling "git clone". This avoids the
    error, and also makes physical copies of .git/objects, rather than
    hard-linking them.

    TESTS
    ===================
    * Make sure "git clone --no-local /path/to/local/git/repo" works
      with both the original git package (1:2.30.2-1) and the patched
      package (1:2.30.2-1+deb11u2).
    * Build a test image that triggers this case

[1] https://security-tracker.debian.org/tracker/CVE-2023-22490

    Closes-Bug: 2009723
    Signed-off-by: Davlet Panech <email address hidden>
    Change-Id: I90bf0b21713701fe253b23a1bfb9fd49ec649853