From 40e7d4d98c64a8ec98193de7f75cc31664ac5b41 Mon Sep 17 00:00:00 2001 From: heanlan Date: Wed, 17 May 2023 19:35:23 -0400 Subject: [PATCH] Allow access from container users to git directories Signed-off-by: heanlan --- build/images/codegen/Dockerfile | 3 +++ hack/update-codegen.sh | 16 +++++++++++++--- multicluster/hack/update-codegen.sh | 20 +++++++++++++++----- 3 files changed, 31 insertions(+), 8 deletions(-) diff --git a/build/images/codegen/Dockerfile b/build/images/codegen/Dockerfile index ce5a8617acb..ed5f0b3cfc4 100644 --- a/build/images/codegen/Dockerfile +++ b/build/images/codegen/Dockerfile @@ -54,3 +54,6 @@ RUN go install k8s.io/code-generator/cmd/client-gen@kubernetes-$K8S_VERSION && \ COPY --from=protoc /tmp/protoc/bin /usr/local/bin COPY --from=protoc /tmp/protoc/include /usr/local/include +# workaround for safe directory issue on github actions +# ref: https://github.com/actions/runner-images/issues/6775 +RUN git config --global --add safe.directory /go/src/antrea.io/antrea diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh index 90e8119d1b3..807dd7638fa 100755 --- a/hack/update-codegen.sh +++ b/hack/update-codegen.sh @@ -20,14 +20,24 @@ set -o pipefail ANTREA_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )" IMAGE_NAME="antrea/codegen:kubernetes-1.26.4" +# Recent versions of Git will not access .git directories which are owned by +# another user (as a security measure), unless the directories are explicitly +# added to a "safe" list in the Git config. When we run the Docker container, +# the Antrea source directory may be owned (depends on the Docker platform) +# by a user which is different from the container user (as the source directory +# is mounted from the host). If this is the case, the Git program inside the +# container will refuse to run. This is why we explicitly add the Antrea source +# directory to the list of "safe" directories. We are still looking into the +# possibility of running the Docker container as the "current host user". function docker_run() { docker pull ${IMAGE_NAME} set -x + ANTREA_PATH="/go/src/antrea.io/antrea" docker run --rm \ -e GOPROXY=${GOPROXY} \ - -w /go/src/antrea.io/antrea \ - -v ${ANTREA_ROOT}:/go/src/antrea.io/antrea \ - "${IMAGE_NAME}" "$@" + -w ${ANTREA_PATH} \ + -v ${ANTREA_ROOT}:${ANTREA_PATH} \ + "${IMAGE_NAME}" bash -c "git config --global --add safe.directory ${ANTREA_PATH} && $@" } docker_run hack/update-codegen-dockerized.sh "$@" diff --git a/multicluster/hack/update-codegen.sh b/multicluster/hack/update-codegen.sh index 96fef8458c7..e79320508c5 100755 --- a/multicluster/hack/update-codegen.sh +++ b/multicluster/hack/update-codegen.sh @@ -17,17 +17,27 @@ set -o errexit set -o pipefail -ANTREA_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../../" && pwd )" +ANTREA_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )" IMAGE_NAME="antrea/codegen:kubernetes-1.26.4" +# Recent versions of Git will not access .git directories which are owned by +# another user (as a security measure), unless the directories are explicitly +# added to a "safe" list in the Git config. When we run the Docker container, +# the Antrea source directory may be owned (depends on the Docker platform) +# by a user which is different from the container user (as the source directory +# is mounted from the host). If this is the case, the Git program inside the +# container will refuse to run. This is why we explicitly add the Antrea source +# directory to the list of "safe" directories. We are still looking into the +# possibility of running the Docker container as the "current host user". function docker_run() { docker pull ${IMAGE_NAME} set -x + ANTREA_PATH="/go/src/antrea.io/antrea" docker run --rm \ -e GOPROXY=${GOPROXY} \ - -w /go/src/antrea.io/antrea \ - -v ${ANTREA_ROOT}:/go/src/antrea.io/antrea \ - "${IMAGE_NAME}" "$@" + -w ${ANTREA_PATH} \ + -v ${ANTREA_ROOT}:${ANTREA_PATH} \ + "${IMAGE_NAME}" bash -c "git config --global --add safe.directory ${ANTREA_PATH} && $@" } -docker_run multicluster/hack/update-codegen-dockerized.sh $@ +docker_run hack/update-codegen-dockerized.sh "$@"