Skip to content

Commit daec1c8

Browse files
gandrogandro
committed
Makefile: Run release build as regular user
This fixes an issue where `make release` would fail to build the release binaries, because `go build` would fail with `error obtaining VCS status: exit status 128`. This happens because `go build` in Go v1.18 and newer is invoking `git` as part of the build process. However, due to [CVE-2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/), git v2.35.2 now requires that the current git directory for most commands is owned by the user with which the `git` process is running. Because our containerized build was running as `root` inside of the container, git rightfully refused to work on a tree owned by a non-root user. This commit fixes this issue by creating a release user with the same UID/GID of the current user (assumed to be the user owning the working directory), and running `make` with the permissions of that user instead of running as root. Signed-off-by: Sebastian Wicki <[email protected]>
1 parent bf56e89 commit daec1c8

File tree

1 file changed

+7
-6
lines changed

1 file changed

+7
-6
lines changed

Makefile

+7-6
Original file line numberDiff line numberDiff line change
@@ -25,10 +25,14 @@ hubble:
2525
$(GO_BUILD) $(if $(GO_TAGS),-tags $(GO_TAGS)) -ldflags "-w -s -X 'github.com/cilium/hubble/pkg.GitBranch=${GIT_BRANCH}' -X 'github.com/cilium/hubble/pkg.GitHash=$(GIT_HASH)' -X 'github.com/cilium/hubble/pkg.Version=${VERSION}'" -o $(TARGET)
2626

2727
release:
28-
docker run --env "RELEASE_UID=$(RELEASE_UID)" --env "RELEASE_GID=$(RELEASE_GID)" --rm --workdir /hubble --volume `pwd`:/hubble docker.io/library/golang:1.18.3-alpine3.16 \
29-
sh -c "apk add --no-cache make git && make local-release"
28+
docker run --rm --workdir /hubble --volume `pwd`:/hubble docker.io/library/golang:1.18.3-alpine3.16 \
29+
sh -c "apk add --no-cache make git && \
30+
addgroup -g $(RELEASE_GID) release && \
31+
adduser -u $(RELEASE_UID) -D -G release release && \
32+
su release -c 'make local-release'"
3033

3134
local-release: clean
35+
set -o errexit; \
3236
for OS in darwin linux windows; do \
3337
EXT=; \
3438
ARCHS=; \
@@ -52,10 +56,7 @@ local-release: clean
5256
(cd release && sha256sum $(TARGET)-$$OS-$$ARCH.tar.gz > $(TARGET)-$$OS-$$ARCH.tar.gz.sha256sum); \
5357
done; \
5458
rm -r release/$$OS; \
55-
done; \
56-
if [ $$(id -u) -eq 0 -a -n "$$RELEASE_UID" -a -n "$$RELEASE_GID" ]; then \
57-
chown -R "$$RELEASE_UID:$$RELEASE_GID" release; \
58-
fi
59+
done;
5960

6061
install: hubble
6162
$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR)

0 commit comments

Comments
 (0)