a310aa8fef
Upgrading kamal from `v1.8.3` to `v1.9.0` broke my [kamal playground](https://labs.iximiuz.com/playgrounds/kamal): ``` laborant@dev-machine:~/svc-a$ kamal setup INFO [34d0def6] Running /usr/bin/env mkdir -p .kamal on 172.16.0.3 INFO [c34cf833] Running /usr/bin/env mkdir -p .kamal on 172.16.0.4 INFO [34d0def6] Finished in 0.147 seconds with exit status 0 (successful). INFO [c34cf833] Finished in 0.204 seconds with exit status 0 (successful). Acquiring the deploy lock... Ensure Docker is installed... INFO [413ee426] Running docker -v on 172.16.0.4 INFO [f1acacba] Running docker -v on 172.16.0.3 INFO [413ee426] Finished in 0.036 seconds with exit status 0 (successful). INFO [f1acacba] Finished in 0.076 seconds with exit status 0 (successful). Log into image registry... INFO [94cff492] Running docker login registry.iximiuz.com -u [REDACTED] -p [REDACTED] on localhost INFO [94cff492] Finished in 0.077 seconds with exit status 0 (successful). INFO [605c535f] Running docker login registry.iximiuz.com -u [REDACTED] -p [REDACTED] on 172.16.0.4 INFO [6002b598] Running docker login registry.iximiuz.com -u [REDACTED] -p [REDACTED] on 172.16.0.3 INFO [605c535f] Finished in 0.083 seconds with exit status 0 (successful). INFO [6002b598] Finished in 0.083 seconds with exit status 0 (successful). Build and push app image... INFO [9d172b1e] Running docker --version && docker buildx version on localhost INFO [9d172b1e] Finished in 0.059 seconds with exit status 0 (successful). INFO Cloning repo into build directory `/tmp/kamal-clones/svc-a-2f65914456263/workdir/`... INFO [26fb1bd3] Running /usr/bin/env git -C /tmp/kamal-clones/svc-a-2f65914456263 clone /workdir --recurse-submodules on localhost ERROR Error preparing clone: Failed to clone repo: git exit status: 32768 git stdout: Nothing written git stderr: Cloning into 'workdir'... fatal: detected dubious ownership in repository at '/workdir/.git' To add an exception for this directory, call: git config --global --add safe.directory /workdir/.git fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. , deleting and retrying... INFO Cloning repo into build directory `/tmp/kamal-clones/svc-a-2f65914456263/workdir/`... INFO [fd4aac0c] Running /usr/bin/env git -C /tmp/kamal-clones/svc-a-2f65914456263 clone /workdir --recurse-submodules on localhost Finished all in 0.3 seconds Releasing the deploy lock... Finished all in 0.6 seconds ERROR (SSHKit::Command::Failed): git exit status: 32768 git stdout: Nothing written git stderr: Cloning into 'workdir'... fatal: detected dubious ownership in repository at '/workdir/.git' To add an exception for this directory, call: git config --global --add safe.directory /workdir/.git fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. laborant@dev-machine:~/svc-a$ kamal version 2.0.0 ``` I checked the [v1.8.3...v1.9.0](https://github.com/basecamp/kamal/compare/v1.8.3...v1.9.0) diff, and couldn't find anything even remotely related to the above error. Then I checked the `git` versions in kamal `v1.8.3` and `v1.9.0` images: ``` docker run -it --rm --entrypoint sh ghcr.io/basecamp/kamal:v1.8.3 /workdir # git --version git version 2.38.5 ``` vs. ``` docker run -it --rm --entrypoint sh ghcr.io/basecamp/kamal:v2.0.0 /workdir # git --version git version 2.39.5 ``` Apparently, something changed in between `2.38.5` and `2.39.5` git releases (likely yet another CVE fix), and the `git config --global --add safe.directory /workdir` stopped working. Here is the mitigation I currently use, but it's a bit awkward to do it: ``` docker build -t ghcr.io/basecamp/kamal:v2.0.0 - <<EOF FROM ghcr.io/basecamp/kamal:v2.0.0 RUN git config --global --add safe.directory /workdir/.git EOF ``` Hence, this PR. To repro, you can start a [kamal playground](https://labs.iximiuz.com/playgrounds/kamal), then `docker pull ghcr.io/basecamp/kamal:v2.0.0` to override my patched image, and `cd svc-a && kamal setup`.
41 lines
1.3 KiB
Docker
41 lines
1.3 KiB
Docker
# Use the official Ruby 3.2.0 Alpine image as the base image
|
|
FROM ruby:3.2.0-alpine
|
|
|
|
# Install docker/buildx-bin
|
|
COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx
|
|
|
|
# Set the working directory to /kamal
|
|
WORKDIR /kamal
|
|
|
|
# Copy the Gemfile, Gemfile.lock into the container
|
|
COPY Gemfile Gemfile.lock kamal.gemspec ./
|
|
|
|
# Required in kamal.gemspec
|
|
COPY lib/kamal/version.rb /kamal/lib/kamal/version.rb
|
|
|
|
# Install system dependencies
|
|
RUN apk add --no-cache build-base git docker openrc openssh-client-default \
|
|
&& rc-update add docker boot \
|
|
&& gem install bundler --version=2.4.3 \
|
|
&& bundle install
|
|
|
|
# Copy the rest of our application code into the container.
|
|
# We do this after bundle install, to avoid having to run bundle
|
|
# every time we do small fixes in the source code.
|
|
COPY . .
|
|
|
|
# Install the gem locally from the project folder
|
|
RUN gem build kamal.gemspec && \
|
|
gem install ./kamal-*.gem --no-document
|
|
|
|
# Set the working directory to /workdir
|
|
WORKDIR /workdir
|
|
|
|
# Tell git it's safe to access /workdir/.git even if
|
|
# the directory is owned by a different user
|
|
RUN git config --global --add safe.directory /workdir/.git
|
|
|
|
# Set the entrypoint to run the installed binary in /workdir
|
|
# Example: docker run -it -v "$PWD:/workdir" kamal init
|
|
ENTRYPOINT ["kamal"]
|