Fix image builds with sources using a type=git

A recent change to git [1] introduced a new behaviour to work around a CVE [2] that disallows any git operations in directories not owned by the current user. This may seem unrelated to installation, but it plays havoc with PBR, which calls out to git to get to get revision history. So if you are "pip install"-ing from a source tree you don't own, the PBR git calls in that tree now fail and the install blows up. When using type=source, kolla clones the repository, then creates a tarball from it, which is ADDed to the image. The ownership of the files in the tarball is preserved, which in this case will be the user running kolla-build. Since the Docker build runs as root, we hit the PBR issue. Our solution is to make sure that any tarball we generate from git sources have all files owned by root:root so that the root user is able to use git commands when building container images. [1] 8959555cee [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765. Closes-Bug: #1969096 Related-Bug: #1968877 Co-Authored-By: Mark Goddard <mark@stackhpc.com> Change-Id: I2cbf1f539880d512aa223c3ef3a4b19ee18854ac
2022-04-13 20:19:38 +02:00 · 2022-04-13 20:19:38 +02:00 · c4fda7baa3
parent 4b5cfa85eb
commit c4fda7baa3
2 changed files with 20 additions and 1 deletions
--- a/kolla/image/build.py
+++ b/kolla/image/build.py
@ -368,8 +368,18 @@ class BuildTask(DockerTask):
                image.status = Status.ERROR
                return

+            # NOTE(mgoddard): Change ownership of files to root:root. This
+            # avoids an issue introduced by the fix for git CVE-2022-24765,
+            # which breaks PBR when the source checkout is not owned by the
+            # user installing it. LP#1969096
+            def reset_userinfo(tarinfo):
+                tarinfo.uid = tarinfo.gid = 0
+                tarinfo.uname = tarinfo.gname = "root"
+                return tarinfo
+
            with tarfile.open(dest_archive, 'w') as tar:
-                tar.add(clone_dir, arcname=os.path.basename(clone_dir))
+                tar.add(clone_dir, arcname=os.path.basename(clone_dir),
+                        filter=reset_userinfo)

        elif source.get('type') == 'local':
            self.logger.debug("Getting local archive from %s",
--- a/releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml
+++ b/releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml
@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    Fixes an issue building images that use a source with a ``type`` of
+    ``git``, when using a git that includes the fix for `CVE-2022-24765
+    <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765>`__ (2.35.2
+    or later). By default, this includes the ``gnocchi-base`` image, but may
+    include other images with a non-default configuration.  `LP#837710
+    <https://review.opendev.org/c/openstack/kolla/+/837710>`__