[all] Devstack jobs are failing due to a git security fix

Ian Wienand iwienand at redhat.com
Wed Apr 13 07:11:27 UTC 2022

On Tue, Apr 12, 2022 at 05:05:22PM -0700, Michael Johnson wrote:
65;6602;1c> tldr: All devstack based jobs are going to fail with newer versions of
> git - don't bother rechecking
> git has released a security fix [1] that is starting to roll out in
> distributions (Ubuntu focal for example) that will cause pbr to be
> unable to access the package metadata for packages checked out locally
> due to the directory ownership used in devstack.

This turns out to be annoyingly complicated.

Since devstack checks out all code as "stack" and then installs
globally with "sudo pip install -e ...", pbr will be running in a
directory owned by "stack" as root and its git calls will hit this

If we make the code directories owned by root, we now have additional
problems.  Several places do things in the code repositories --
e.g. setup virtualenvs, run ./tools/*.sh scripts to generate sample
config files and run tox as "stack" (tox then tries to install the
source tree in it's virtualenv -- if it's owned by root -- again --

I explored a bunch of these options in


and anyone feel free to take over that and keep trying.

The other option is to use the new config flag to mark our checkouts
as safe.  This is obviously simpler, but it seems like a very ugly
thing for a nominally generic tool like devstack to do to your global
git config.  This is done with


and appears to work; but will need backporting for grenade if we want
to take this path.

When this kicked off I sent in a link to HN thinking that thanks to
our very upstream focused CI we were likely some of the first to hit
this; it's currently the top post so I think that is accurate that
this is having wide impact:


It is probably worth keeping one eye on upstream for any developments
that might change our options.


More information about the openstack-discuss mailing list