kolla/releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml
Marcin Juszkiewicz c4fda7baa3 Fix image builds with sources using a type=git
A recent change to git [1] introduced a new behaviour to work around a
CVE [2] that disallows any git operations in directories not owned by
the current user.

This may seem unrelated to installation, but it plays havoc with PBR,
which calls out to git to get to get revision history.  So if you are
"pip install"-ing from a source tree you don't own, the PBR git calls
in that tree now fail and the install blows up.

When using type=source, kolla clones the repository, then creates a
tarball from it, which is ADDed to the image. The ownership of the files
in the tarball is preserved, which in this case will be the user running
kolla-build. Since the Docker build runs as root, we hit the PBR issue.

Our solution is to make sure that any tarball we generate from git
sources have all files owned by root:root so that the root user is able
to use git commands when building container images.

[1] 8959555cee
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765.

Closes-Bug: #1969096
Related-Bug: #1968877

Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Change-Id: I2cbf1f539880d512aa223c3ef3a4b19ee18854ac
2022-04-14 11:32:51 +01:00

10 lines
451 B
YAML

---
fixes:
- |
Fixes an issue building images that use a source with a ``type`` of
``git``, when using a git that includes the fix for `CVE-2022-24765
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765>`__ (2.35.2
or later). By default, this includes the ``gnocchi-base`` image, but may
include other images with a non-default configuration. `LP#837710
<https://review.opendev.org/c/openstack/kolla/+/837710>`__