Great suggestion Jason - adding `git status` took me in a very unexpected direction, and ultimately a solution.
tl;dr if your build's base container image does not use root/uid 0, git commands won't work unless you add the `--chown=<uid>` flag to your `COPY` instruction. Go builds need this if you want `-buildvcs=auto|true` to succeed. When I changed my build command to `RUN git status && go build` in the Dockerfile, I got the following output: ``` $ podman build -t localhost/sclorg/hello-openshift:latest . [1/2] STEP 1/3: FROM registry.redhat.io/ubi9/go-toolset:1.20.12 AS builder [1/2] STEP 2/3: COPY . . --> 10a13b463199 [1/2] STEP 3/3: RUN git status && go build -o /tmp/hello fatal: detected dubious ownership in repository at '/opt/app-root/src' To add an exception for this directory, call: git config --global --add safe.directory /opt/app-root/src Error: building at STEP "RUN git status && go build -o /tmp/hello": while running runtime: exit status 128 ``` This was a new and different error message for me - but same exit code as before. A quick Google search brought me to CVE-2022-24765 [1], whose fix introduced this "dubious ownership" message/protection. I was finally able to piece everything together with a few more debug builds and internet searches: 1. On Fedora 39, podman runs in "rootless" mode. Files owned by me show up as owned by "root" in containers. 2. For Linux containers, `COPY` commands in Dockerfiles copy files as UID/GID 0 unless the `--chown` flag is passed. [2]. 3. As part of the mitigation for CVE-2022-24765, git commands will succeed only if: a. The `.git` directory is owned by the same user executing the `.git` command OR b. The parent directory marked "safe" in the git configuration. Using `COPY --chown=default . .` instead of `COPY . .` works for the UBI go-toolset image referenced previously in this thread. Your results may vary using other golang "builder" images. [1] https://github.blog/2022-04-12-git-security-vulnerability-announced/ [2] https://docs.docker.com/reference/dockerfile/#copy---chown---chmod On Sat, May 11, 2024 at 11:43 AM Jason E. Aten <j.e.a...@gmail.com> wrote: > > how can developers debug and find the root cause? > > If it was me, I would start by going into the container (whatever the > podman equivalent of docker exec -it containernumber bash) and try to run > 'git status' or 'git log' and see why the git query is giving an error. > You could also try strace to see what git command specifically is being > execed, then try to get that command working manually. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "golang-nuts" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/golang-nuts/LZbM2WlZoJM/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/ca680397-1497-4b3a-83ce-301c936308c1n%40googlegroups.com > <https://groups.google.com/d/msgid/golang-nuts/ca680397-1497-4b3a-83ce-301c936308c1n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Adam Kaplan He/Him Principal Software Engineer Red Hat <https://www.redhat.com> 100 E. Davie Street adam.kap...@redhat.com T: 1-919-754-4843 <https://www.redhat.com> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CADmLb%2B%3DpPMFT5fnBpC4C8QuxD%3DFNTO1c74o6Nx6F6zL2eJALbg%40mail.gmail.com.