From 4cb3346fec6715d3f2ba7953face5296f497956a Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Thu, 14 Apr 2022 16:08:08 +1000
Subject: [PATCH] source-repositories : use explicit sudo/-C args when in
 REPO_DEST

The recent git ownership-checking changes (see related bug for full
details) mean we can not run git in non-owned directories.

We have a couple of cases here where we have done a "pushd" to work in
the REPO_DEST context; this is the destination directory that is
inside the chroot so needs to be operated on as "root" (via sudo
calls).  This certainly makes sense -- but given the new way of things
it can hide what context each call is working in, which is now very
important.  Previously this worked because you could read it; now it's
doing the UID check too, calls in here without sudo now fail.

Remvoe the pushd's and make every call that works in REPO_DEST
explicit with -C, and add sudo calls around it.

Change-Id: Id1f6bd94c9c77ef6ab2b562a7e0bc48f749c58ac
Related-Bug: https://bugs.launchpad.net/devstack/+bug/1968798
---
 .../extra-data.d/98-source-repositories          | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/diskimage_builder/elements/source-repositories/extra-data.d/98-source-repositories b/diskimage_builder/elements/source-repositories/extra-data.d/98-source-repositories
index 5f470329..b30f9a93 100755
--- a/diskimage_builder/elements/source-repositories/extra-data.d/98-source-repositories
+++ b/diskimage_builder/elements/source-repositories/extra-data.d/98-source-repositories
@@ -159,30 +159,26 @@ function get_repos_for_element(){
                         echo "REPOLOCATIONS don't match ("$CACHE_PATH" != "$DESIRED")" >&2
                         exit 1
                     elif [[ "$REPOREF" != "*" ]]; then
-                        pushd $REPO_DEST > /dev/null
                         # When we first clone we create a branch naming what we fetched
                         # that must match, or we are asking for two different references from the
                         # same repo, which is an error
-                        if ! git rev-parse fetch_$REPOREF; then
+                        if ! sudo git -C ${REPO_DEST} rev-parse fetch_$REPOREF; then
                             echo "REPOREFS don't match - failed to get sha1 of fetch_$REPOREF" >&2
                             exit 1
                         fi
-                        popd > /dev/null
                     fi
                 else
                     sudo git clone -q $CACHE_PATH $REPO_DEST
-                    pushd $REPO_DEST > /dev/null
                     if [[ "$REPOREF" == "*" ]]; then
-                        sudo git fetch -q --prune --update-head-ok $CACHE_PATH \
+                        sudo git -C ${REPO_DEST} fetch -q --prune --update-head-ok $CACHE_PATH \
                             +refs/heads/*:refs/heads/* +refs/tags/*:refs/tags/*
-                        git_sha=$(git rev-parse HEAD)
+                        git_sha=$(sudo git -C ${REPO_DEST} rev-parse HEAD)
                     else
-                        sudo git fetch -q $CACHE_PATH $REPOREF:fetch_$REPOREF
-                        sudo git reset --hard FETCH_HEAD
+                        sudo git -C ${REPO_DEST} fetch -q $CACHE_PATH $REPOREF:fetch_$REPOREF
+                        sudo git -C ${REPO_DEST} reset --hard FETCH_HEAD
                         # Get the sha in use
-                        git_sha=$(git rev-parse FETCH_HEAD)
+                        git_sha=$(sudo git -C ${REPO_DEST} rev-parse FETCH_HEAD)
                     fi
-                    popd > /dev/null
 
                     # Write the sha being used into the source-repositories manifest
                     echo "$REPONAME git $REPOPATH $REPOLOCATION $git_sha" >> $GIT_MANIFEST