[all] Devstack jobs are failing due to a git security fix

Dmitriy Rabotyagov noonedeadpunk at gmail.com
Wed Apr 13 09:17:06 UTC 2022


Hey!

I actually wonder if the approach with config flag to mark checkouts as
safe should be applied more generally, when zuul preps repos for usage,
instead of hook in devstack specifically. As it's a more general issue,
since zuul repos can't be used as is now for other projects as well
(limited to devstack).

ср, 13 апр. 2022 г. в 09:14, Ian Wienand <iwienand at redhat.com>:

> On Tue, Apr 12, 2022 at 05:05:22PM -0700, Michael Johnson wrote:
> 65;6602;1c> tldr: All devstack based jobs are going to fail with newer
> versions of
> > git - don't bother rechecking
> >
> > git has released a security fix [1] that is starting to roll out in
> > distributions (Ubuntu focal for example) that will cause pbr to be
> > unable to access the package metadata for packages checked out locally
> > due to the directory ownership used in devstack.
>
> This turns out to be annoyingly complicated.
>
> Since devstack checks out all code as "stack" and then installs
> globally with "sudo pip install -e ...", pbr will be running in a
> directory owned by "stack" as root and its git calls will hit this
> failure.
>
> If we make the code directories owned by root, we now have additional
> problems.  Several places do things in the code repositories --
> e.g. setup virtualenvs, run ./tools/*.sh scripts to generate sample
> config files and run tox as "stack" (tox then tries to install the
> source tree in it's virtualenv -- if it's owned by root -- again --
> failure).
>
> I explored a bunch of these options in
>
>   https://review.opendev.org/c/openstack/devstack/+/837636
>
> and anyone feel free to take over that and keep trying.
>
> The other option is to use the new config flag to mark our checkouts
> as safe.  This is obviously simpler, but it seems like a very ugly
> thing for a nominally generic tool like devstack to do to your global
> git config.  This is done with
>
>   https://review.opendev.org/c/openstack/devstack/+/837659
>
> and appears to work; but will need backporting for grenade if we want
> to take this path.
>
> When this kicked off I sent in a link to HN thinking that thanks to
> our very upstream focused CI we were likely some of the first to hit
> this; it's currently the top post so I think that is accurate that
> this is having wide impact:
>
>   https://news.ycombinator.com/item?id=31009675
>
> It is probably worth keeping one eye on upstream for any developments
> that might change our options.
>
> -i
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220413/6bd41bc0/attachment.htm>


More information about the openstack-discuss mailing list