Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Git Clone unsafe repository #4966

Closed
aceeric opened this issue Jun 10, 2022 · 8 comments
Closed

Git Clone unsafe repository #4966

aceeric opened this issue Jun 10, 2022 · 8 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@aceeric
Copy link

aceeric commented Jun 10, 2022

Expected Behavior

Using Pipelines 0.36.0, Create a TaskRun to git clone a repository results in success

Actual Behavior

Fails with error: Exit status 128 fatal // Unsafe repository ('/workspace/output' is owned by someone else) // To add an exception for this directory, call: git config --global --add safe.directory /workspace/output

Additional info

Based on #4756 being merged in April and 0.36.0 being cut in June, I thought this would be resolved in 0.36.0.

Steps to Reproduce the Problem

  1. Install Tekton Pipelines 0.36.0: kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.36.0/release.yaml
  2. Get this manifest - https://github.com/tektoncd/catalog/blob/main/task/git-clone/0.6/git-clone.yaml - and change both occurrences of "0.29.0" to "0.36.0". Then kubectl apply the manifest
  3. Create a TaskRun with this manifest, following guidance here to run as non-root
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: git-clone-run-brancch
spec:
  podTemplate:
    securityContext:
      runAsNonRoot: true
      runAsUser: 65532
  workspaces:
  - name: output
    emptyDir: {}
  - name: ssh-directory
    secret:
      secretName: tekton-ssh
      items:
      - key: ssh-privatekey
        path: id_rsa
  taskRef:
    name: git-clone
  params:
  - name: url
    value: [email protected]/myproj/foo.git
  - name: revision
    value: main
  - name: sslVerify:
    value: false
  - name: userHome
    value: /home/nonroot

Observe the TaskRun fails with error:

Exit status 128 fatal:
unsafe repository ('/workspace/output') is owned by someone else
To add an exception for this directory, call: git config --global --add safe.directory /workspace/output
@aceeric aceeric added the kind/bug Categorizes issue or PR as related to a bug. label Jun 10, 2022
@aceeric aceeric mentioned this issue Jun 10, 2022
Closed
@v1nc3nt27
Copy link

@aceeric did you find a solution for this? I'm having similar trouble when using an AWS EFS Access point as workspace:

    2022/06/14 14:40:40 warning: unsuccessful cred copy: ".gitconfig" from "/tekton/creds" to "/": unable to open destination: open /.gitconfig: permission denied
    2022/06/14 14:40:40 warning: unsuccessful cred copy: ".git-credentials" from "/tekton/creds" to "/": unable to open destination: open /.git-credentials: permission denied
    time="2022-06-14T14:40:42Z" level=error msg="error determining current user: user: unknown userid 65532"

@aceeric
Copy link
Author

aceeric commented Jun 16, 2022

@v1nc3nt27 I settled on a work-around. I modified the upstream https://github.com/tektoncd/catalog/blob/main/task/git-clone/0.6/git-clone.yaml before deploying the Task into the cluster. The beginning of the script was modified to look thus:

...
script: |
  #!/usr/bin/env sh
  set -eu

  if [ "${PARAM_VERBOSE}" = "true" ] ; then
    set -x
  fi

  # added one line
  git config --global --add safe.directory /workspace/output

  if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
...

@tekton-robot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 14, 2022
@tekton-robot
Copy link
Collaborator

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 14, 2022
jhonis added a commit to jhonis/tektoncd-catalog that referenced this issue Oct 17, 2022
@jhonis
Add safe.directory git config to fix the issue reported on tektoncd/p…
7b9af0f 
…ipeline#4966 and fix the tests
@afrittoli
Copy link
Member

@aceeric Thanks for the workaround. Would a PR to the catalog solve this issue, or do you think this is something that needs to be fixed on pipeline side?

@aceeric
Copy link
Author

aceeric commented Oct 20, 2022

Honestly @afrittoli it's hard to say - not being an expert in the tool. Fundamentally the catalog task is (presently) wanting to use the pipeline image in a way that seems incompatible with the image. So - should the image in the pipeline be modified to not require the additional line of shell? Part of that IMO is determined by which - if any - other Tekton components use that image and what impact there would be of changing the pipeline. Sorry for not having a better answer...

tekton-robot pushed a commit to tektoncd/catalog that referenced this issue Oct 20, 2022
@jhonis @tekton-robot
Add safe.directory git config to fix the issue reported on tektoncd/p…
431e65f 
…ipeline#4966 and fix the tests
@lbernick
Copy link
Member

lbernick commented Nov 1, 2022

@aceeric it looks like this issue may be resolved by @jhonis's PR tektoncd/catalog#1092 to the git clone catalog task so I'm going to close this issue; please feel free to reopen if the problem is not resolved.

@lbernick lbernick closed this as completed Nov 1, 2022
Repository owner moved this from Todo to Done in Tekton Community Roadmap Nov 1, 2022
@aceeric
Copy link
Author

aceeric commented Nov 1, 2022

Sounds good - thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
Tekton Community Roadmap
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@afrittoli @v1nc3nt27 @aceeric @lbernick @tekton-robot