sig_cloud/diskimage-builder
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

source-repositories : use explicit sudo/-C args when in REPO_DEST

Browse Source 
The recent git ownership-checking changes (see related bug for full
details) mean we can not run git in non-owned directories.

We have a couple of cases here where we have done a "pushd" to work in
the REPO_DEST context; this is the destination directory that is
inside the chroot so needs to be operated on as "root" (via sudo
calls).  This certainly makes sense -- but given the new way of things
it can hide what context each call is working in, which is now very
important.  Previously this worked because you could read it; now it's
doing the UID check too, calls in here without sudo now fail.

Remvoe the pushd's and make every call that works in REPO_DEST
explicit with -C, and add sudo calls around it.

Change-Id: Id1f6bd94c9c77ef6ab2b562a7e0bc48f749c58ac
Related-Bug: https://bugs.launchpad.net/devstack/+bug/1968798
This commit is contained in:
Ian Wienand 2022-04-14 16:08:08 +10:00 committed by Michael Johnson
parent 709d18fd42
commit 4cb3346fec
1 changed files with 6 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
diskimage_builder/elements/source-repositories/extra-data.d/98-source-repositories
View File

@ -159,30 +159,26 @@ function get_repos_for_element(){
echo "REPOLOCATIONS don't match ("$CACHE_PATH" != "$DESIRED")" >&2 echo "REPOLOCATIONS don't match ("$CACHE_PATH" != "$DESIRED")" >&2
exit 1 exit 1
elif [[ "$REPOREF" != "*" ]]; then elif [[ "$REPOREF" != "*" ]]; then
pushd $REPO_DEST > /dev/null
# When we first clone we create a branch naming what we fetched # When we first clone we create a branch naming what we fetched
# that must match, or we are asking for two different references from the # that must match, or we are asking for two different references from the
# same repo, which is an error # same repo, which is an error
if ! git rev-parse fetch_$REPOREF; then if ! sudo git -C ${REPO_DEST} rev-parse fetch_$REPOREF; then
echo "REPOREFS don't match - failed to get sha1 of fetch_$REPOREF" >&2 echo "REPOREFS don't match - failed to get sha1 of fetch_$REPOREF" >&2
exit 1 exit 1
fi fi
popd > /dev/null
fi fi
else else
sudo git clone -q $CACHE_PATH $REPO_DEST sudo git clone -q $CACHE_PATH $REPO_DEST
pushd $REPO_DEST > /dev/null
if [[ "$REPOREF" == "*" ]]; then if [[ "$REPOREF" == "*" ]]; then
sudo git fetch -q --prune --update-head-ok $CACHE_PATH \ sudo git -C ${REPO_DEST} fetch -q --prune --update-head-ok $CACHE_PATH \
+refs/heads/*:refs/heads/* +refs/tags/*:refs/tags/* +refs/heads/*:refs/heads/* +refs/tags/*:refs/tags/*
git_sha=$(git rev-parse HEAD) git_sha=$(sudo git -C ${REPO_DEST} rev-parse HEAD)
else else
sudo git fetch -q $CACHE_PATH $REPOREF:fetch_$REPOREF sudo git -C ${REPO_DEST} fetch -q $CACHE_PATH $REPOREF:fetch_$REPOREF
sudo git reset --hard FETCH_HEAD sudo git -C ${REPO_DEST} reset --hard FETCH_HEAD
# Get the sha in use # Get the sha in use
git_sha=$(git rev-parse FETCH_HEAD) git_sha=$(sudo git -C ${REPO_DEST} rev-parse FETCH_HEAD)
fi fi
popd > /dev/null
# Write the sha being used into the source-repositories manifest # Write the sha being used into the source-repositories manifest
echo "$REPONAME git $REPOPATH $REPOLOCATION $git_sha" >> $GIT_MANIFEST echo "$REPONAME git $REPOPATH $REPOLOCATION $git_sha" >> $GIT_MANIFEST