From c4fda7baa3ffc36b555c32a34a00042b6035b917 Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz Date: Wed, 13 Apr 2022 20:19:38 +0200 Subject: [PATCH] Fix image builds with sources using a type=git A recent change to git [1] introduced a new behaviour to work around a CVE [2] that disallows any git operations in directories not owned by the current user. This may seem unrelated to installation, but it plays havoc with PBR, which calls out to git to get to get revision history. So if you are "pip install"-ing from a source tree you don't own, the PBR git calls in that tree now fail and the install blows up. When using type=source, kolla clones the repository, then creates a tarball from it, which is ADDed to the image. The ownership of the files in the tarball is preserved, which in this case will be the user running kolla-build. Since the Docker build runs as root, we hit the PBR issue. Our solution is to make sure that any tarball we generate from git sources have all files owned by root:root so that the root user is able to use git commands when building container images. [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765. Closes-Bug: #1969096 Related-Bug: #1968877 Co-Authored-By: Mark Goddard Change-Id: I2cbf1f539880d512aa223c3ef3a4b19ee18854ac --- kolla/image/build.py | 12 +++++++++++- .../notes/git-security-fix-fix-ea56c0071585237d.yaml | 9 +++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml diff --git a/kolla/image/build.py b/kolla/image/build.py index 3d4fcc27a5..4a6ecd4955 100755 --- a/kolla/image/build.py +++ b/kolla/image/build.py @@ -368,8 +368,18 @@ class BuildTask(DockerTask): image.status = Status.ERROR return + # NOTE(mgoddard): Change ownership of files to root:root. This + # avoids an issue introduced by the fix for git CVE-2022-24765, + # which breaks PBR when the source checkout is not owned by the + # user installing it. LP#1969096 + def reset_userinfo(tarinfo): + tarinfo.uid = tarinfo.gid = 0 + tarinfo.uname = tarinfo.gname = "root" + return tarinfo + with tarfile.open(dest_archive, 'w') as tar: - tar.add(clone_dir, arcname=os.path.basename(clone_dir)) + tar.add(clone_dir, arcname=os.path.basename(clone_dir), + filter=reset_userinfo) elif source.get('type') == 'local': self.logger.debug("Getting local archive from %s", diff --git a/releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml b/releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml new file mode 100644 index 0000000000..a168f5d619 --- /dev/null +++ b/releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + Fixes an issue building images that use a source with a ``type`` of + ``git``, when using a git that includes the fix for `CVE-2022-24765 + `__ (2.35.2 + or later). By default, this includes the ``gnocchi-base`` image, but may + include other images with a non-default configuration. `LP#837710 + `__