pipeline icon indicating copy to clipboard operation
pipeline copied to clipboard

Published 20 hours ago verified publisher icon tektoncd

Git Clone unsafe repository

Open aceeric opened this issue 3 years ago • 3 comments

Expected Behavior

Using Pipelines 0.36.0, Create a TaskRun to git clone a repository results in success

Actual Behavior

Fails with error: Exit status 128 fatal // Unsafe repository ('/workspace/output' is owned by someone else) // To add an exception for this directory, call: git config --global --add safe.directory /workspace/output

Additional info

Based on https://github.com/tektoncd/pipeline/pull/4756 being merged in April and 0.36.0 being cut in June, I thought this would be resolved in 0.36.0.

Steps to Reproduce the Problem

  1. Install Tekton Pipelines 0.36.0: kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.36.0/release.yaml
  2. Get this manifest - https://github.com/tektoncd/catalog/blob/main/task/git-clone/0.6/git-clone.yaml - and change both occurrences of "0.29.0" to "0.36.0". Then kubectl apply the manifest
  3. Create a TaskRun with this manifest, following guidance here to run as non-root
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: git-clone-run-brancch
spec:
  podTemplate:
    securityContext:
      runAsNonRoot: true
      runAsUser: 65532
  workspaces:
  - name: output
    emptyDir: {}
  - name: ssh-directory
    secret:
      secretName: tekton-ssh
      items:
      - key: ssh-privatekey
        path: id_rsa
  taskRef:
    name: git-clone
  params:
  - name: url
    value: [email protected]/myproj/foo.git
  - name: revision
    value: main
  - name: sslVerify:
    value: false
  - name: userHome
    value: /home/nonroot

Observe the TaskRun fails with error:

Exit status 128 fatal:
unsafe repository ('/workspace/output') is owned by someone else
To add an exception for this directory, call: git config --global --add safe.directory /workspace/output

aceeric avatar Jun 10 '22 16:06 aceeric

@aceeric did you find a solution for this? I'm having similar trouble when using an AWS EFS Access point as workspace:

    2022/06/14 14:40:40 warning: unsuccessful cred copy: ".gitconfig" from "/tekton/creds" to "/": unable to open destination: open /.gitconfig: permission denied
    2022/06/14 14:40:40 warning: unsuccessful cred copy: ".git-credentials" from "/tekton/creds" to "/": unable to open destination: open /.git-credentials: permission denied
    time="2022-06-14T14:40:42Z" level=error msg="error determining current user: user: unknown userid 65532"

v1nc3nt27 avatar Jun 15 '22 06:06 v1nc3nt27

@v1nc3nt27 I settled on a work-around. I modified the upstream https://github.com/tektoncd/catalog/blob/main/task/git-clone/0.6/git-clone.yaml before deploying the Task into the cluster. The beginning of the script was modified to look thus:

...
script: |
  #!/usr/bin/env sh
  set -eu

  if [ "${PARAM_VERBOSE}" = "true" ] ; then
    set -x
  fi

  # added one line
  git config --global --add safe.directory /workspace/output

  if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
...

aceeric avatar Jun 16 '22 10:06 aceeric

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

tekton-robot avatar Sep 14 '22 11:09 tekton-robot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten with a justification. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

tekton-robot avatar Oct 14 '22 11:10 tekton-robot

@aceeric Thanks for the workaround. Would a PR to the catalog solve this issue, or do you think this is something that needs to be fixed on pipeline side?

afrittoli avatar Oct 18 '22 16:10 afrittoli

Honestly @afrittoli it's hard to say - not being an expert in the tool. Fundamentally the catalog task is (presently) wanting to use the pipeline image in a way that seems incompatible with the image. So - should the image in the pipeline be modified to not require the additional line of shell? Part of that IMO is determined by which - if any - other Tekton components use that image and what impact there would be of changing the pipeline. Sorry for not having a better answer...

aceeric avatar Oct 20 '22 00:10 aceeric

@aceeric it looks like this issue may be resolved by @jhonis's PR https://github.com/tektoncd/catalog/pull/1092 to the git clone catalog task so I'm going to close this issue; please feel free to reopen if the problem is not resolved.

lbernick avatar Nov 01 '22 16:11 lbernick

Sounds good - thank you.

aceeric avatar Nov 01 '22 23:11 aceeric