Allow access from container users to git directories

Signed-off-by: heanlan <hanlan@vmware.com>
antrea-io · May 18, 2023 · 40e7d4d · 40e7d4d
1 parent e4d8ccf
commit 40e7d4d
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 8 deletions.
diff --git a/build/images/codegen/Dockerfile b/build/images/codegen/Dockerfile
@@ -54,3 +54,6 @@ RUN go install k8s.io/code-generator/cmd/client-gen@kubernetes-$K8S_VERSION && \
 COPY --from=protoc /tmp/protoc/bin /usr/local/bin
 COPY --from=protoc /tmp/protoc/include /usr/local/include
 
+# workaround for safe directory issue on github actions
+# ref: https://github.com/actions/runner-images/issues/6775
+RUN git config --global --add safe.directory /go/src/antrea.io/antrea
diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh
@@ -20,14 +20,24 @@ set -o pipefail
 ANTREA_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )"
 IMAGE_NAME="antrea/codegen:kubernetes-1.26.4"
 
+# Recent versions of Git will not access .git directories which are owned by
+# another user (as a security measure), unless the directories are explicitly
+# added to a "safe" list in the Git config. When we run the Docker container,
+# the Antrea source directory may be owned (depends on the Docker platform)
+# by a user which is different from the container user (as the source directory
+# is mounted from the host). If this is the case, the Git program inside the
+# container will refuse to run. This is why we explicitly add the Antrea source
+# directory to the list of "safe" directories. We are still looking into the
+# possibility of running the Docker container as the "current host user".
 function docker_run() {
   docker pull ${IMAGE_NAME}
   set -x
+  ANTREA_PATH="/go/src/antrea.io/antrea"
   docker run --rm \
 		-e GOPROXY=${GOPROXY} \
-		-w /go/src/antrea.io/antrea \
-		-v ${ANTREA_ROOT}:/go/src/antrea.io/antrea \
-		"${IMAGE_NAME}" "$@"
+		-w ${ANTREA_PATH} \
+		-v ${ANTREA_ROOT}:${ANTREA_PATH} \
+		"${IMAGE_NAME}" bash -c "git config --global --add safe.directory ${ANTREA_PATH} && $@"
 }
 
 docker_run hack/update-codegen-dockerized.sh "$@"
diff --git a/multicluster/hack/update-codegen.sh b/multicluster/hack/update-codegen.sh
@@ -17,17 +17,27 @@
 set -o errexit
 set -o pipefail
 
-ANTREA_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../../" && pwd )"
+ANTREA_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )"
 IMAGE_NAME="antrea/codegen:kubernetes-1.26.4"
 
+# Recent versions of Git will not access .git directories which are owned by
+# another user (as a security measure), unless the directories are explicitly
+# added to a "safe" list in the Git config. When we run the Docker container,
+# the Antrea source directory may be owned (depends on the Docker platform)
+# by a user which is different from the container user (as the source directory
+# is mounted from the host). If this is the case, the Git program inside the
+# container will refuse to run. This is why we explicitly add the Antrea source
+# directory to the list of "safe" directories. We are still looking into the
+# possibility of running the Docker container as the "current host user".
 function docker_run() {
   docker pull ${IMAGE_NAME}
   set -x
+  ANTREA_PATH="/go/src/antrea.io/antrea"
   docker run --rm \
 		-e GOPROXY=${GOPROXY} \
-		-w /go/src/antrea.io/antrea \
-		-v ${ANTREA_ROOT}:/go/src/antrea.io/antrea \
-		"${IMAGE_NAME}" "$@"
+		-w ${ANTREA_PATH} \
+		-v ${ANTREA_ROOT}:${ANTREA_PATH} \
+		"${IMAGE_NAME}" bash -c "git config --global --add safe.directory ${ANTREA_PATH} && $@"
 }
 
-docker_run multicluster/hack/update-codegen-dockerized.sh $@
+docker_run hack/update-codegen-dockerized.sh "$@"