Skip to content

Commit

Permalink
Makefile: Run release build as regular user
Browse files Browse the repository at this point in the history 
This fixes an issue where `make release` would fail to build the release
binaries, because `go build` would fail with `error obtaining VCS
status: exit status 128`.

This happens because `go build` in Go v1.18 and newer is invoking `git`
as part of the build process. However, due to
[CVE-2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/),
git v2.35.2 now requires that the current git directory for most
commands is owned by the user with which the `git` process is running.

Because our containerized build was running as `root` inside of the
container, git rightfully refused to work on a tree owned by a non-root
user. This commit fixes this issue by creating a release user with the
same UID/GID of the current user (assumed to be the user owning the
working directory), and running `make` with the permissions of that user
instead of running as root.

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
  • Loading branch information
@gandro
gandro committed Jun 22, 2022
1 parent bf56e89 commit daec1c8
Showing 1 changed file with 7 additions and 6 deletions.
13 changes: 7 additions & 6 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,14 @@ hubble:
$(GO_BUILD) $(if $(GO_TAGS),-tags $(GO_TAGS)) -ldflags "-w -s -X 'github.com/cilium/hubble/pkg.GitBranch=${GIT_BRANCH}' -X 'github.com/cilium/hubble/pkg.GitHash=$(GIT_HASH)' -X 'github.com/cilium/hubble/pkg.Version=${VERSION}'" -o $(TARGET)

release:
docker run --env "RELEASE_UID=$(RELEASE_UID)" --env "RELEASE_GID=$(RELEASE_GID)" --rm --workdir /hubble --volume `pwd`:/hubble docker.io/library/golang:1.18.3-alpine3.16 \
sh -c "apk add --no-cache make git && make local-release"
docker run --rm --workdir /hubble --volume `pwd`:/hubble docker.io/library/golang:1.18.3-alpine3.16 \
sh -c "apk add --no-cache make git && \
addgroup -g $(RELEASE_GID) release && \
adduser -u $(RELEASE_UID) -D -G release release && \
su release -c 'make local-release'"

local-release: clean
set -o errexit; \
for OS in darwin linux windows; do \
EXT=; \
ARCHS=; \
Expand All @@ -52,10 +56,7 @@ local-release: clean
(cd release && sha256sum $(TARGET)-$$OS-$$ARCH.tar.gz > $(TARGET)-$$OS-$$ARCH.tar.gz.sha256sum); \
done; \
rm -r release/$$OS; \
done; \
if [ $$(id -u) -eq 0 -a -n "$$RELEASE_UID" -a -n "$$RELEASE_GID" ]; then \
chown -R "$$RELEASE_UID:$$RELEASE_GID" release; \
fi
done;

install: hubble
$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR)
Expand Down

0 comments on commit daec1c8

Please sign in to comment.