eceb8690f6
Latest git packages on Ubuntu (and possibly other locations in the
future) don't allow locally cloning repos owned by a different user by
default. Attempting to do so results in this error:
fatal: detected dubious ownership in repository at '/opt/git/opendev.org/foo/bar/.git'
To add an exception for this directory, call:
git config --global --add safe.directory /opt/git/opendev.org/foo/bar/.git
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Currently the /opt/git repos are owned by root:root. We expect that
zuul will be the most common user to interact with these cached repos so
we chown to zuul:zuul in order to avoid these problems as much as
possible. Any cases not using zuul will have to determine a path foward
for that special circumstances.
Change-Id: I7cb21869bae42baed5027a9380f60762ab8944e0
61 lines
1.9 KiB
Bash
Executable File
61 lines
1.9 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
|
set -x
|
|
fi
|
|
set -eu
|
|
set -o pipefail
|
|
|
|
# Add zuul user and group. Note we don't want to rely on
|
|
# "useradd"'s group adding behaviour, because it might differ across
|
|
# distros.
|
|
groupadd zuul
|
|
useradd -m zuul -g zuul -s /bin/bash
|
|
|
|
cat > /etc/sudoers.d/zuul << EOF
|
|
zuul ALL=(ALL) NOPASSWD:ALL
|
|
EOF
|
|
chmod 0440 /etc/sudoers.d/zuul
|
|
|
|
visudo -c || die "Error setting zuul sudo!"
|
|
|
|
# this was copied from outside the chroot by extras.d
|
|
_pub_key=/tmp/in_target.d/zuul-user-ssh-public-key
|
|
if [ ! -f $_pub_key ]; then
|
|
die "Can not find Zuul public key!"
|
|
fi
|
|
|
|
mkdir -p /home/zuul/.ssh
|
|
chmod 700 /home/zuul/.ssh
|
|
cp $_pub_key /home/zuul/.ssh/authorized_keys
|
|
|
|
# cleanup everything to the right owner
|
|
chown -R zuul:zuul /home/zuul
|
|
|
|
# a lot of caching happens in extra-data.d (for "historical" reasons).
|
|
# We've put the cache stuff into /opt/cache/files, but again, for
|
|
# "historical" reasons, ensure this is available in /home/zuul
|
|
#
|
|
# We do this for zuul as relative paths to the current user's homedir
|
|
# are used in places like devstack.
|
|
#
|
|
# Check if the cache exists as we don't have a strict dependency on the
|
|
# devstack-cache element. This allows you to build an image without
|
|
# incurring the cost of caching all the things.
|
|
if [ -d /opt/cache/files ] ; then
|
|
mkdir -p /home/zuul/cache
|
|
chown zuul:zuul /home/zuul/cache
|
|
ln -sf /opt/cache/files /home/zuul/cache/files
|
|
# but make sure the cache is readable by everyone
|
|
chmod -R a+rX /opt/cache/files/*
|
|
fi
|
|
|
|
# New versions of git don't let you clone repos as a different user
|
|
# than the user owning the repo by default for security reasons.
|
|
# As above we cache git repos during extra-data.d in /opt/git/ and they
|
|
# end up owned by root. Chown them to zuul here to avoid permissions
|
|
# issues with the most likely user to interact with the git cache( zuul).
|
|
if [ -d /opt/git ] ; then
|
|
chown -R zuul:zuul /opt/git
|
|
fi
|