-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gitea post-receive hook not working with docker image 1.17-rc1 #20103
Comments
Among the things affected, authorization control (for users that have read access but no write access) is also broken; a user did push into a repository he should not have access to (the pre-receive hook didn't stop him). |
What docker / runc / kernel version are you running? Interestingly, #18050 added a safeguard against this which doesn't seem to work in your case. Either way, the |
Here they are:
Since I'm based on Debian 10, I can't really update them individually; however, also since I'm based on Debian 10 which is due for an OS update, I'll just do that and see if it fixes the issue (it should, as the issue you've linked is most likely the culprit). Still, Regarding the safeguard, it won't work in this case because running Also, thanks, this stumbled us for quite a bit; having an "easy" way out of this trouble is great :) |
Please see notes for alpine which conflict with the version of docker you are using https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0 specifically the |
Yes, got it. Updating the environment outside docker fixed it. I think all that remains here is to modify the safeguard so that other won't fall into this pitfall. Thanks again. |
If only modifying the safeguard were so simple. We've been aware of the problem for a while, Gitlab has also been affected and unfortunately it seems the only solution is to tell people to upgrade their Docker. (https://about.gitlab.com/blog/2021/08/26/its-time-to-upgrade-docker-engine/) See #18050 where we upgraded alpine. In the blog post for 1.17 we will add a specific BREAKING notice. If you are willing to find and write a PR that will detect the correct version we'll be happy to consider a PR. Otherwise I'm going to close this as a duplicate of #16428, #16451, #16170, #16464, & #16484 amongst others |
Thinking about it, I fear that "improving" the safeguard might not be enough to avoid other potential issues. Best case scenario it would detect if bash specifically fails (something like I could write something that provides the basis of testing docker (if applicable) and kernel versions so that minimum could be enforced, but I'm not sure I'd have time to thoroughly check this through. Maybe depending on sysadmin doing their due diligences with updates (which I clearly did not, sorry about that) would be a better bet after all. |
I also got bitten by this one. And the safeguard indeed does not catch it unfortunately.
Would it make sense to change these hooks to use "/usr/bin/test" instead of "test"? |
Or to avoid depending on the /usr/bin/test location: |
Failures will almost certainly occur elsewhere as anything that calls faccessat2 will fail. Alpine 3.14+ is fundamentally broken on Docker < 20.10.6 because of this. The Alpine 3.14 release notes state: faccessat2Use of the faccessat2 syscall has been enabled in musl. Due to runc issue 2151, new system calls incorrectly returned
Note also that when using nested Docker, every layer must meet one of the above requirements, since if any layer improperly denies the use of faccessat2, Alpine Linux 3.14 will not function correctly. We could use /usr/bin/test which will probably work until that is updated to use faccessat2, we could write some code in go that would detect that faccessat2 is reporting incorrectly but fundamentally people just need to upgrade. |
Description
When pushing new commits to gitea, the hooks are not triggered. This (among other things) does not create references between issues and commits, and we can't close issues with commit messages.
After investigating, it comes down to the
test -x
command exiting with a status of 1 despite the hook scripts being available and executable.This issue only happens when using the built-in "test" command from bash. Running
/usr/bin/test -x <file>
returns the expected result. This seems to only happen in the docker image (current latest is1.17-rc1
)Here's the things I tested (from a git repository in gitea, using
docker exec
:I added the "echo" to check, and indeed when pushing I do get "TEST BEFORE", but not "TEST AFTER".
I have no idea what causes this behavior, exclusively in bash, exclusively in docker, but replacing "test" with "/usr/bin/test" do fix the issue (hooks run and tickets are referenced correctly, among other things).
Unfortunately I do not know where I could live-edit the container to update all repositories hook at once, which could be a temporary fix too.
Gitea Version
1.17-rc1
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
We run gitea through docker, using docker-compose as suggested in the doc and using the "official" gitea images on docker hub.
Database
PostgreSQL
The text was updated successfully, but these errors were encountered: