Fix image builds with sources using a type=git

A recent change to git [1] introduced a new behaviour to work around a CVE [2] that disallows any git operations in directories not owned by the current user. This may seem unrelated to installation, but it plays havoc with PBR, which calls out to git to get to get revision history. So if you are "pip install"-ing from a source tree you don't own, the PBR git calls in that tree now fail and the install blows up. When using type=source, kolla clones the repository, then creates a tarball from it, which is ADDed to the image. The ownership of the files in the tarball is preserved, which in this case will be the user running kolla-build. Since the Docker build runs as root, we hit the PBR issue. Our solution is to make sure that any tarball we generate from git sources have all files owned by root:root so that the root user is able to use git commands when building container images. [1] git/git@8959555 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765. Closes-Bug: #1969096 Related-Bug: #1968877 Co-Authored-By: Mark Goddard <[email protected]> Change-Id: I2cbf1f539880d512aa223c3ef3a4b19ee18854ac (cherry picked from commit c4fda7b)
stackhpc · Apr 14, 2022 · 7fb3ecb · 7fb3ecb
1 parent 3567973
commit 7fb3ecb
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/kolla/image/build.py b/kolla/image/build.py
@@ -431,8 +431,18 @@ def process_source(self, image, source):
                 image.status = Status.ERROR
                 return
 
+            # NOTE(mgoddard): Change ownership of files to root:root. This
+            # avoids an issue introduced by the fix for git CVE-2022-24765,
+            # which breaks PBR when the source checkout is not owned by the
+            # user installing it. LP#1969096
+            def reset_userinfo(tarinfo):
+                tarinfo.uid = tarinfo.gid = 0
+                tarinfo.uname = tarinfo.gname = "root"
+                return tarinfo
+
             with tarfile.open(dest_archive, 'w') as tar:
-                tar.add(clone_dir, arcname=os.path.basename(clone_dir))
+                tar.add(clone_dir, arcname=os.path.basename(clone_dir),
+                        filter=reset_userinfo)
 
         elif source.get('type') == 'local':
             self.logger.debug("Getting local archive from %s",

diff --git a/releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml b/releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    Fixes an issue building images that use a source with a ``type`` of
+    ``git``, when using a git that includes the fix for `CVE-2022-24765
+    <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765>`__ (2.35.2
+    or later). By default, this includes the ``gnocchi-base`` image, but may
+    include other images with a non-default configuration.  `LP#837710
+    <https://review.opendev.org/c/openstack/kolla/+/837710>`__