Makefile: Run release build as regular user #751
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This fixes an issue where `make release` would fail to build the release binaries, because `go build` would fail with `error obtaining VCS status: exit status 128`. This happens because `go build` in Go v1.18 and newer is invoking `git` as part of the build process. However, due to [CVE-2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/), git v2.35.2 now requires that the current git directory for most commands is owned by the user with which the `git` process is running. Because our containerized build was running as `root` inside of the container, git rightfully refused to work on a tree owned by a non-root user. This commit fixes this issue by creating a release user with the same UID/GID of the current user (assumed to be the user owning the working directory), and running `make` with the permissions of that user instead of running as root. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
added
the
release-note/misc
gandro
requested review from
a team,
glibsm and
kaworu
and removed request for
a team and
glibsm
tklauser
reviewed
Jun 22, 2022
tklauser
approved these changes
Jun 22, 2022
tklauser
added a commit
to cilium/cilium-cli
that referenced
this pull request
Jun 22, 2022
Instead of adding the checkout directory to git's safe directories as done in commit 023ccfb ("make: allow running `git status` during release build"), change the release target to create a regular user with the same UID/GID as the current user (assumed to be the user owning the working directory) inside the container and use it to run `make release`. Follows cilium/hubble#751 Signed-off-by: Tobias Klauser <tobias@cilium.io>
tklauser
added a commit
to cilium/cilium-cli
that referenced
this pull request
Jun 23, 2022
Instead of adding the checkout directory to git's safe directories as done in commit 023ccfb ("make: allow running `git status` during release build"), change the release target to create a regular user with the same UID/GID as the current user (assumed to be the user owning the working directory) inside the container and use it to run `make release`. Follows cilium/hubble#751 Signed-off-by: Tobias Klauser <tobias@cilium.io>
tklauser
added a commit
to cilium/pwru
that referenced
this pull request
Jun 28, 2022
Instead of adding the checkout directory to git's safe directories as done in commit 1d42d3f ("make: allow running git status during release build"), change the release target to create a regular user with the same UID/GID as the current user (assumed to be the user owning the working directory) inside the container and use it to run `make release`. Follows cilium/hubble#751 and cilium-cli#945 Signed-off-by: Tobias Klauser <tobias@cilium.io>
tklauser
added a commit
to cilium/pwru
that referenced
this pull request
Jun 28, 2022
Instead of adding the checkout directory to git's safe directories as done in commit 1d42d3f ("make: allow running git status during release build"), change the release target to create a regular user with the same UID/GID as the current user (assumed to be the user owning the working directory) inside the container and use it to run `make release`. Follows cilium/hubble#751 and cilium/cilium-cli#945 Signed-off-by: Tobias Klauser <tobias@cilium.io>
brb
pushed a commit
to cilium/pwru
that referenced
this pull request
Jun 28, 2022
Instead of adding the checkout directory to git's safe directories as done in commit 1d42d3f ("make: allow running git status during release build"), change the release target to create a regular user with the same UID/GID as the current user (assumed to be the user owning the working directory) inside the container and use it to run `make release`. Follows cilium/hubble#751 and cilium/cilium-cli#945 Signed-off-by: Tobias Klauser <tobias@cilium.io>
aditighag
pushed a commit
to aditighag/cilium-cli
that referenced
this pull request
Apr 21, 2023
Instead of adding the checkout directory to git's safe directories as done in commit 023ccfb ("make: allow running `git status` during release build"), change the release target to create a regular user with the same UID/GID as the current user (assumed to be the user owning the working directory) inside the container and use it to run `make release`. Follows cilium/hubble#751 Signed-off-by: Tobias Klauser <tobias@cilium.io>
michi-covalent
pushed a commit
to michi-covalent/cilium
that referenced
this pull request
May 30, 2023
Instead of adding the checkout directory to git's safe directories as
done in commit 023ccfb8466e ("make: allow running `git status` during
release build"), change the release target to create a regular user with
the same UID/GID as the current user (assumed to be the user owning the
working directory) inside the container and use it to run `make
release`.
Follows cilium/hubble#751
Signed-off-by: Tobias Klauser <tobias@cilium.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes an issue where
make releasewould fail to build the releasebinaries, because
go buildwould fail witherror obtaining VCS status: exit status 128.This happens because
go buildin Go v1.18 and newer is invokinggitas part of the build process. However, due to CVE-2022-24765,
git v2.35.2 now requires that the current git directory for most
commands is owned by the user with which the
gitprocess is running.Because our containerized build was running as
rootinside of thecontainer, git rightfully refused to work on a tree owned by a non-root
user. This commit fixes this issue by creating a release user with the
same UID/GID of the current user (assumed to be the user owning the
working directory), and running
makewith the permissions of that userinstead of running as root.
Signed-off-by: Sebastian Wicki sebastian@isovalent.com