klaus icon indicating copy to clipboard operation
klaus copied to clipboard

Published 20 hours ago verified publisher icon jonashaag

No longer possible to serve shared repositories in klaus

Open arunisaac opened this issue 1 year ago • 7 comments

My klaus setup involves klaus serving repositories that are owned by a different user. But, with git's new safe directory checks, it is no longer possible to use shared repositories without explicit safelisting. git's safe directory checks aren't quite relevant to klaus. It would be nice if we could avoid using the git CLI altogether and do everything with dulwich. That way, we can continue to support shared repositories while at the same time not exposing ourselves to git vulnerabilities and being immune from klaus breaking due to future changes in git.

Here's the git error message I get when trying to serve a shared repository with klaus.

2023-07-25 09:39:13 fatal: detected dubious ownership in repository at '/srv/git/repos/guix-forge'
2023-07-25 09:39:13 To add an exception for this directory, call:
2023-07-25 09:39:13 
2023-07-25 09:39:13     git config --global --add safe.directory /srv/git/repos/guix-forge
2023-07-25 09:39:13 [2023-07-25 09:39:13,228] ERROR in app: Exception on /guix-forge/ [GET]

Thank you!

arunisaac avatar Jul 25 '23 09:07 arunisaac

Unfortunately Dulwich is still too slow for some operations.

Any other ideas how to improve this in Klaus?

jonashaag avatar Jul 25 '23 09:07 jonashaag

We could maybe use pygit2 instead of dulwich. pygit2 depends on libgit2 and should be faster.

https://www.pygit2.org/

arunisaac avatar Jul 25 '23 10:07 arunisaac

I'm open to merge that change but not interested in putting in the work right now.

jonashaag avatar Jul 25 '23 13:07 jonashaag

No worries! I totally understand. I don't have much time for hacking myself. For now, I'll be running klaus with a patched git that has the safe directory check disabled.

arunisaac avatar Jul 25 '23 15:07 arunisaac

In case it's not obvious, you can work around this issue by running git config --global --add safe.directory /srv/git/repos/guix-forge like the error message suggested. This is what I did at work, where repos are rarely added/removed. My /etc/gitconfig looks like this:

[safe]
directory = /srv/vcs/foo.git
directory = /srv/vcs/bar.git
directory = /srv/vcs/baz.git

I could not find any way to "batch" allow /srv/vcs/*.git.

trentbuck avatar Mar 25 '24 08:03 trentbuck

Yes, that's possible. But, I would prefer to have a smoother user experience than that. I maintain a klaus service in guix-forge. https://guix-forge.systemreboot.net/ This klaus service automates away most of the deployment details. I would prefer to keep it that way and not tell users to invoke additional commands.

arunisaac avatar Mar 25 '24 20:03 arunisaac

duplicate of https://github.com/jonashaag/klaus/issues/300

fin444 avatar May 04 '24 18:05 fin444