From c7e7b61e3418ac0bffd96b4ff215b7036e57539b Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 22 Jun 2021 10:55:36 +0200 Subject: [PATCH 1/3] Use libgit2 from "unstable" / "sid" We received reports from users no longer being able to clone Git repositories using libgit2 because of errors during the cloning attempt: `error: Failed to authenticate SSH session: Unable to extract public key from private key.` After an extensive scavenger hunt I was able to pinpoint the issue to `libssh2` being linked against `libgcrypt` instead of `openssl`. The problem with this is that the libgcrypt backend in libssh2 contains a hand written slimmed down ASN.1 parser to read out keys, while the OpenSSL backend in libssh2 uses OpenSSL, which supports a lot more formats (and more specifically, most PKCS* formats). As Debian's bullseye/testing repository has been frozen, and a backport has not been made available yet, fetching the dependency from "unstable" seems to be the best option for now, as this has `libssh2` available including OpenSSL. Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271 Signed-off-by: Hidde Beydals --- Dockerfile | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3775d2672..059a25bb3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,20 @@ FROM golang:1.16-buster as builder # Up-to-date libgit2 dependencies are only available in -# >=bullseye (testing). -RUN echo "deb http://deb.debian.org/debian testing main" >> /etc/apt/sources.list \ - && echo "deb-src http://deb.debian.org/debian testing main" >> /etc/apt/sources.list +# unstable, as libssh2 in testing/bullseye has been linked +# against gcrypt which causes issues with PKCS* formats. +# Explicitly listing all build dependencies is required because +# they can only be automagically found for AMD64 builds. +# Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271 +RUN echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list \ + && echo "deb-src http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list RUN set -eux; \ apt-get update \ - && apt-get install -y libgit2-dev/testing zlib1g-dev/testing libssh2-1-dev/testing libpcre3-dev/testing \ + && apt-get install -y \ + libgit2-dev/unstable \ + zlib1g-dev/unstable \ + libssh2-1-dev/unstable \ + libpcre3-dev/unstable \ && apt-get clean \ && apt-get autoremove --purge -y \ && rm -rf /var/lib/apt/lists/* @@ -38,12 +46,16 @@ FROM debian:buster-slim as controller LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller" # Up-to-date libgit2 dependencies are only available in -# >=bullseye (testing). -RUN echo "deb http://deb.debian.org/debian testing main" >> /etc/apt/sources.list \ - && echo "deb-src http://deb.debian.org/debian testing main" >> /etc/apt/sources.list +# unstable, as libssh2 in testing/bullseye has been linked +# against gcrypt which causes issues with PKCS* formats. +# Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271 +RUN echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list \ + && echo "deb-src http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list RUN set -eux; \ apt-get update \ - && apt-get install -y ca-certificates libgit2-1.1 \ + && apt-get install -y \ + ca-certificates \ + libgit2-1.1 \ && apt-get clean \ && apt-get autoremove --purge -y \ && rm -rf /var/lib/apt/lists/* @@ -54,4 +66,4 @@ RUN groupadd controller && \ useradd --gid controller --shell /bin/sh --create-home controller USER controller -ENTRYPOINT ["source-controller"] +ENTRYPOINT [ "source-controller" ] From fdb0a0b8c1e9ddef997efae5d74cb6aaa12bd818 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 22 Jun 2021 12:25:03 +0200 Subject: [PATCH 2/3] Use Debian Slim image in GitHub action Signed-off-by: Hidde Beydals --- .github/actions/run-tests/Dockerfile | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/actions/run-tests/Dockerfile b/.github/actions/run-tests/Dockerfile index 22fd823c7..f00645101 100644 --- a/.github/actions/run-tests/Dockerfile +++ b/.github/actions/run-tests/Dockerfile @@ -1,13 +1,23 @@ -FROM golang:1.16-alpine +FROM golang:1.16-buster as builder -# Add any build or testing essential system packages -RUN apk add --no-cache build-base git pkgconf -RUN apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/edge/community libgit2-dev~=1.1 +# Up-to-date libgit2 dependencies are only available in +# unstable, as libssh2 in testing/bullseye has been linked +# against gcrypt which causes issues with PKCS* formats. +# Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271 +RUN echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list \ + && echo "deb-src http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list +RUN set -eux; \ + apt-get update \ + && apt-get install -y libgit2-dev/unstable \ + && apt-get clean \ + && apt-get autoremove --purge -y \ + && rm -rf /var/lib/apt/lists/* # Use the GitHub Actions uid:gid combination for proper fs permissions -RUN addgroup -g 116 -S test && adduser -u 1001 -S -g test test +RUN groupadd -g 116 test && \ + useradd -u 1001 --gid test --shell /bin/sh --create-home test # Run as test user USER test -ENTRYPOINT ["/bin/sh", "-c"] +ENTRYPOINT [ "/bin/sh", "-c" ] From 2c63246edeb7be37448b6fc730062e2c7852dc70 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 22 Jun 2021 12:49:23 +0200 Subject: [PATCH 3/3] Change large-repo-* ref.branch to main Signed-off-by: Hidde Beydals --- config/testdata/git/large-repo.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/testdata/git/large-repo.yaml b/config/testdata/git/large-repo.yaml index b8e00619c..74dcfa935 100644 --- a/config/testdata/git/large-repo.yaml +++ b/config/testdata/git/large-repo.yaml @@ -7,7 +7,7 @@ spec: interval: 10m url: https://github.com/hashgraph/hedera-mirror-node.git ref: - branch: master + branch: main ignore: | /* !/charts @@ -21,7 +21,7 @@ spec: interval: 10m url: https://github.com/hashgraph/hedera-mirror-node.git ref: - branch: master + branch: main ignore: | /* !/charts