Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fails because of no rights in private submodule #737

Closed
neumann-nico opened this issue Dec 4, 2022 · 12 comments
Closed

Fails because of no rights in private submodule #737

neumann-nico opened this issue Dec 4, 2022 · 12 comments
Labels
kind/docs kind/upstream Changes need to be made on upstream project

Comments

@neumann-nico
Copy link

neumann-nico commented Dec 4, 2022

Behaviour

I am trying to build a docker image and push it to AWS ECR. Before I had the private submodule included into my git repository it worked perfectly. Now I included a private submodule which has further public submodules. And I get the error, that it has no rights to clone the submodule. Using the checkout action and providing a Personal Access Token it works fine.
I don't need the submodule for building the docker image, so I also would be fine to disable cloning the submodule.

Steps to reproduce this issue

  1. Run the workflow
  2. Crashes at docker/build-push-action@v3 step

Expected behaviour

Should either not clone the submodule or clone it without failing

Actual behaviour

Crashes at docker/build-push-action@v3 step and does not build and publish the image

Configuration

name: Build docker image
on: workflow_dispatch

env:
  AWS_REGION: ...

jobs:
  build:
    name: Build docker image
    runs-on: ubuntu-latest
    steps:
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}
      - uses: aws-actions/amazon-ecr-login@v1

      # This is not nessessary, but just to show how I use actions/checkout which works fine
      - uses: actions/checkout@v3
        with:
          token: ${{ secrets.PERSONAL_ACCESS_TOKEN_GITHUB }}
          submodules: recursive

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Build, tag, and push image to Amazon ECR
        uses: docker/build-push-action@v3
        with:
          push: true
          tags: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/...:latest
          file: docker/.../Dockerfile
          platforms: linux/amd64,linux/arm64
          github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN_GITHUB }}

Logs

#1 [internal] load git source https://github.com/[...]/[...].git#[sha]
#0 0.046 Initialized empty Git repository in /var/lib/buildkit/runc-overlayfs/snapshots/snapshots/1/fs/
#0 0.106 fatal: Not a valid object name [sha]^{commit}
#1 5.366 From https://github.com/[...]/[...]
# [lists a lot of branches/tags here]

#1 5.702 Submodule '[...]/[...]' ([email protected]:[...]/[...].git) registered for path '[...]/[...]'
#1 5.706 Cloning into '/var/lib/buildkit/runc-overlayfs/snapshots/snapshots/2/fs/[...]/[...]'...
#1 6.037 Warning: Permanently added 'github.com' (ED25519) to the list of known hosts.
#1 6.209 [email protected]: Permission denied (publickey).
#1 6.209 fatal: Could not read from remote repository.
#1 6.209 
#1 6.209 Please make sure you have the correct access rights
#1 6.209 and the repository exists.
#1 6.210 fatal: clone of '[email protected]:[...]/[...].git' into submodule path '/var/lib/buildkit/runc-overlayfs/snapshots/snapshots/2/fs/[...]/[...]' failed
#1 6.210 Failed to clone '[...]/[...]'. Retry scheduled
#1 6.212 Cloning into '/var/lib/buildkit/runc-overlayfs/snapshots/snapshots/2/fs/[...]/[...]'...
#1 6.658 [email protected]: Permission denied (publickey).
#1 6.658 fatal: Could not read from remote repository.
#1 6.658 
#1 6.658 Please make sure you have the correct access rights
#1 6.658 and the repository exists.
#1 6.659 fatal: clone of '[email protected]:[...]/[...].git' into submodule path '/var/lib/buildkit/runc-overlayfs/snapshots/snapshots/2/fs/[...]/[...]' failed
#1 6.660 Failed to clone '[...]/[...]' a second time, aborting
#1 ERROR: failed to update submodules for https://github.com/[...]/[...].git: exit status 1
@thaJeztah
Copy link
Member

Looking at the failure, this would probably be better opened as a feature request for BuildKit; https://github.com/moby/buildkit (unless BuildKit already has an option to ignore submodules)

@crazy-max
Copy link
Member

@neumann-nico Looking at the logs, an SSH-based auth is required for your submodules:

fatal: clone of '[email protected]:[...]/[...].git'

We do support this moby/buildkit#1782 and I think you just have to set ssh: default but you also need to set up the ssh agent.

Using the checkout action and providing a Personal Access Token it works fine.

That's interesting, can you show the logs of the checkout action? Maybe this action will fallback to http auth if ssh fails and therefore use the github token? Slightly related to #638 (comment).

@crazy-max
Copy link
Member

We also need to document git context auth in our docs: https://docs.docker.com/build/building/context/#git-repositories

@thaJeztah
Copy link
Member

@crazy-max I think the request is to skip the submodule; so currently it works if you pass credentials for git, but the request is "what if I don't need the submodule, and don't want to pass credentials"?

@neumann-nico
Copy link
Author

neumann-nico commented Dec 4, 2022

Thank you for your replies!
Yes I would be fine with disabling cloning the submodue :)

That's interesting, can you show the logs of the checkout action? Maybe this action will fallback to http auth if ssh fails and therefore use the github token? Slightly related to #638 (comment).

I guess you are right:

Setting up auth for fetching submodules
  /usr/bin/git config --global http.https://github.com/.extraheader AUTHORIZATION: basic ***
  /usr/bin/git config --global --unset-all url.https://github.com/.insteadOf
  /usr/bin/git config --global --add url.https://github.com/.insteadOf [email protected]:
  /usr/bin/git config --global --add url.https://github.com/.insteadOf org-[...]@github.com:

Fetching submodules
  /usr/bin/git submodule sync --recursive
  /usr/bin/git -c protocol.version=2 submodule update --init --force --depth=1 --recursive
  Submodule '[...]/[...]' ([email protected]:[...]/[...].git) registered for path '[...]/[...]'
  Cloning into '/home/runner/work/[...]/[...]/[...]/[...]'...
  Submodule path '[...]/[...]': checked out '[sha]'

Persisting credentials for submodules
  /usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'url\.https\:\/\/github\.com\/\.insteadOf' && git config --local --unset-all 'url.https://github.com/.insteadOf' || :
  Entering '[...]/[...]'

   /usr/bin/git submodule foreach --recursive git config --local 'http.https://github.com/.extraheader' 'AUTHORIZATION: basic ***' && git config --local --show-origin --name-only --get-regexp remote.origin.url
  Entering '[...]/[...]'

  /usr/bin/git submodule foreach --recursive git config --local --add 'url.https://github.com/.insteadOf' '[email protected]:'
  Entering '[...]/[...]'

   /usr/bin/git submodule foreach --recursive git config --local --add 'url.https://github.com/.insteadOf' 'org-[...]@github.com:'
  Entering '[...]/[...]'

@crazy-max
Copy link
Member

  /usr/bin/git config --global --add url.https://github.com/.insteadOf [email protected]:
  /usr/bin/git config --global --add url.https://github.com/.insteadOf org-[...]@github.com:

Looks like this is what we need in BuildKit. cc @tonistiigi

@crazy-max crazy-max added the kind/upstream Changes need to be made on upstream project label Dec 4, 2022
@kalanyuz
Copy link

I'm experiencing the exact same issue @crazy-max. However, I do need submodules for the build and cannot use ssh key. Is there a workaround for this?

@keleutos2022
Copy link

I am also expiring the same

@crazy-max
Copy link
Member

@kalanyuz @keleutos2022 While waiting for #737 (comment) to be implemented on buildkit you can use the checkout action and path context as shown here: https://github.com/docker/build-push-action#path-context

@keleutos2022
Copy link

Thank you

@cardoe
Copy link

cardoe commented Feb 21, 2023

So worth noting that just following the process of the actions/checkout module to use https with the token isn't going to be the silver bullet. That will only work for submodules where that actor has access to that repo via https. There's cases where submodules are only accessible via GitHub deploy keys (which are ssh keys). There's also cases where a submodule could be hosted at a GitHub Enterprise server and this won't work. e.g. actions/checkout#934

@crazy-max
Copy link
Member

We also need to document git context auth in our docs: https://docs.docker.com/build/building/context/#git-repositories

this is now documented: https://docs.docker.com/build/building/context/#private-repositories

For #737 (comment), will follow-up on BuildKit repo. Closing in the meantime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/docs kind/upstream Changes need to be made on upstream project
Projects
None yet
Development

No branches or pull requests

6 participants