[PATCH 1/1] container-entrypoint: add custom git path to safedirs
1 view
Skip to first unread message
Felix Moessbauer
Nov 7, 2025, 3:56:19 AM (6 days ago) Nov 7
to kas-...@googlegroups.com, jan.k...@siemens.com, herbert....@siemens.com, Felix Moessbauer
The git clone path can also be controlled with the GIT_CLONE_PATH
environment variable. While this is ignored by kas (as the clone
is executed in a cleaned environment), it can happen when cloning the
main repository (the one kas then is run from). As the GitLab CI passes
the environment variables directly to the container invocation, the
GitLab CI cloning of the main repository already uses them, which fails
if the path is not added to the safedirs.
We now account for this special case.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
container-entrypoint | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/container-entrypoint b/container-entrypoint
index 8cf364540..128001e22 100755
--- a/container-entrypoint
+++ b/container-entrypoint
@@ -64,6 +64,10 @@ if [ -z "$USER_ID" ] && [ -n "$CI_PROJECT_DIR" ]; then
# with our builder user. We handle that internally in kas, but we
# need the exception here as well for git calls outside of kas.
sudo git config --system safe.directory "$CI_PROJECT_DIR"
+ # Account for externally specified git clone path
+ if [ -n "$GIT_CLONE_PATH" ]; then
+ sudo git config --system --add safe.directory "$GIT_CLONE_PATH"
+ fi
fi
if [ -z "$USER_ID" ] || [ "$USER_ID" = 0 ]; then
# Not a kas-container call, or we shall run everything as root
--
2.51.0
environment variable. While this is ignored by kas (as the clone
is executed in a cleaned environment), it can happen when cloning the
main repository (the one kas then is run from). As the GitLab CI passes
the environment variables directly to the container invocation, the
GitLab CI cloning of the main repository already uses them, which fails
if the path is not added to the safedirs.
We now account for this special case.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
container-entrypoint | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/container-entrypoint b/container-entrypoint
index 8cf364540..128001e22 100755
--- a/container-entrypoint
+++ b/container-entrypoint
@@ -64,6 +64,10 @@ if [ -z "$USER_ID" ] && [ -n "$CI_PROJECT_DIR" ]; then
# with our builder user. We handle that internally in kas, but we
# need the exception here as well for git calls outside of kas.
sudo git config --system safe.directory "$CI_PROJECT_DIR"
+ # Account for externally specified git clone path
+ if [ -n "$GIT_CLONE_PATH" ]; then
+ sudo git config --system --add safe.directory "$GIT_CLONE_PATH"
+ fi
fi
if [ -z "$USER_ID" ] || [ "$USER_ID" = 0 ]; then
# Not a kas-container call, or we shall run everything as root
--
2.51.0
Jan Kiszka
Nov 7, 2025, 8:52:32 AM (6 days ago) Nov 7
to Felix Moessbauer, kas-...@googlegroups.com, herbert....@siemens.com
On 07.11.25 09:55, Felix Moessbauer wrote:
> The git clone path can also be controlled with the GIT_CLONE_PATH
> environment variable. While this is ignored by kas (as the clone
> is executed in a cleaned environment), it can happen when cloning the
> main repository (the one kas then is run from). As the GitLab CI passes
> the environment variables directly to the container invocation, the
> GitLab CI cloning of the main repository already uses them, which fails
> if the path is not added to the safedirs.
>
> We now account for this special case.
>
> Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
> ---
> container-entrypoint | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/container-entrypoint b/container-entrypoint
> index 8cf364540..128001e22 100755
> --- a/container-entrypoint
> +++ b/container-entrypoint
> @@ -64,6 +64,10 @@ if [ -z "$USER_ID" ] && [ -n "$CI_PROJECT_DIR" ]; then
> # with our builder user. We handle that internally in kas, but we
> # need the exception here as well for git calls outside of kas.
> sudo git config --system safe.directory "$CI_PROJECT_DIR"
I've added a blank line here.
> The git clone path can also be controlled with the GIT_CLONE_PATH
> environment variable. While this is ignored by kas (as the clone
> is executed in a cleaned environment), it can happen when cloning the
> main repository (the one kas then is run from). As the GitLab CI passes
> the environment variables directly to the container invocation, the
> GitLab CI cloning of the main repository already uses them, which fails
> if the path is not added to the safedirs.
>
> We now account for this special case.
>
> Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
> ---
> container-entrypoint | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/container-entrypoint b/container-entrypoint
> index 8cf364540..128001e22 100755
> --- a/container-entrypoint
> +++ b/container-entrypoint
> @@ -64,6 +64,10 @@ if [ -z "$USER_ID" ] && [ -n "$CI_PROJECT_DIR" ]; then
> # with our builder user. We handle that internally in kas, but we
> # need the exception here as well for git calls outside of kas.
> sudo git config --system safe.directory "$CI_PROJECT_DIR"
> + # Account for externally specified git clone path
> + if [ -n "$GIT_CLONE_PATH" ]; then
> + sudo git config --system --add safe.directory "$GIT_CLONE_PATH"
> + fi
> fi
> if [ -z "$USER_ID" ] || [ "$USER_ID" = 0 ]; then
> # Not a kas-container call, or we shall run everything as root
Jan
--
Siemens AG, Foundational Technologies
Linux Expert Center
Reply all
Reply to author
Forward
0 new messages