From eceb8690f6ac7d0a87f544b6dce06120ff04f2b5 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 29 May 2024 14:35:55 -0700 Subject: [PATCH] Chown the /opt/git repo cache to zuul:zuul Latest git packages on Ubuntu (and possibly other locations in the future) don't allow locally cloning repos owned by a different user by default. Attempting to do so results in this error: fatal: detected dubious ownership in repository at '/opt/git/opendev.org/foo/bar/.git' To add an exception for this directory, call: git config --global --add safe.directory /opt/git/opendev.org/foo/bar/.git fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. Currently the /opt/git repos are owned by root:root. We expect that zuul will be the most common user to interact with these cached repos so we chown to zuul:zuul in order to avoid these problems as much as possible. Any cases not using zuul will have to determine a path foward for that special circumstances. Change-Id: I7cb21869bae42baed5027a9380f60762ab8944e0 --- nodepool/elements/zuul-worker/install.d/60-zuul-worker | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nodepool/elements/zuul-worker/install.d/60-zuul-worker b/nodepool/elements/zuul-worker/install.d/60-zuul-worker index c43b4d37a8..7138bc1a8b 100755 --- a/nodepool/elements/zuul-worker/install.d/60-zuul-worker +++ b/nodepool/elements/zuul-worker/install.d/60-zuul-worker @@ -49,3 +49,12 @@ if [ -d /opt/cache/files ] ; then # but make sure the cache is readable by everyone chmod -R a+rX /opt/cache/files/* fi + +# New versions of git don't let you clone repos as a different user +# than the user owning the repo by default for security reasons. +# As above we cache git repos during extra-data.d in /opt/git/ and they +# end up owned by root. Chown them to zuul here to avoid permissions +# issues with the most likely user to interact with the git cache( zuul). +if [ -d /opt/git ] ; then + chown -R zuul:zuul /opt/git +fi