Great suggestion Jason - adding `git status` took me in a very unexpected
direction, and ultimately a solution.

tl;dr if your build's base container image does not use root/uid 0, git
commands won't work unless you add the `--chown=<uid>` flag to your `COPY`
instruction. Go builds need this if you want `-buildvcs=auto|true` to
succeed.

When I changed my build command to `RUN git status && go build` in the
Dockerfile, I got the following output:

```
$ podman build -t localhost/sclorg/hello-openshift:latest .
[1/2] STEP 1/3: FROM registry.redhat.io/ubi9/go-toolset:1.20.12 AS builder
[1/2] STEP 2/3: COPY . .
--> 10a13b463199
[1/2] STEP 3/3: RUN git status && go build -o /tmp/hello
fatal: detected dubious ownership in repository at '/opt/app-root/src'
To add an exception for this directory, call:

        git config --global --add safe.directory /opt/app-root/src
Error: building at STEP "RUN git status && go build -o /tmp/hello": while
running runtime: exit status 128
```

This was a new and different error message for me - but same exit code as
before. A quick Google search brought me to CVE-2022-24765 [1], whose fix
introduced this "dubious ownership" message/protection.

I was finally able to piece everything together with a few more debug
builds and internet searches:

1. On Fedora 39, podman runs in "rootless" mode. Files owned by me show up
as owned by "root" in containers.
2. For Linux containers, `COPY` commands in Dockerfiles copy files as
UID/GID 0 unless the `--chown` flag is passed. [2].
3. As part of the mitigation for CVE-2022-24765, git commands will succeed
only if:
  a. The `.git` directory is owned by the same user executing the `.git`
command OR
  b. The parent directory marked "safe" in the git configuration.

Using `COPY --chown=default . .` instead of `COPY . .` works for the UBI
go-toolset image referenced previously in this thread. Your results may
vary using other golang "builder" images.

[1] https://github.blog/2022-04-12-git-security-vulnerability-announced/
[2] https://docs.docker.com/reference/dockerfile/#copy---chown---chmod


On Sat, May 11, 2024 at 11:43 AM Jason E. Aten <j.e.a...@gmail.com> wrote:

> > how can developers debug and find the root cause?
>
> If it was me, I would start by going into the container (whatever the
> podman equivalent of docker exec -it containernumber bash) and try to run
> 'git status' or 'git log' and see why the git query is giving an error.
> You could also try strace to see what git command specifically is being
> execed, then try to get that command working manually.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "golang-nuts" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/golang-nuts/LZbM2WlZoJM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> golang-nuts+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/golang-nuts/ca680397-1497-4b3a-83ce-301c936308c1n%40googlegroups.com
> <https://groups.google.com/d/msgid/golang-nuts/ca680397-1497-4b3a-83ce-301c936308c1n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>


-- 

Adam Kaplan

He/Him

Principal Software Engineer

Red Hat <https://www.redhat.com>

100 E. Davie Street

adam.kap...@redhat.com    T: 1-919-754-4843
<https://www.redhat.com>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CADmLb%2B%3DpPMFT5fnBpC4C8QuxD%3DFNTO1c74o6Nx6F6zL2eJALbg%40mail.gmail.com.

Reply via email to