5

I am facing this issue during try to deploy script with gitlab ci/cd:

Initialized empty Git repository in C:/builds/Tri.BuiV/test-gitlab-cicd/.git/
fatal: detected dubious ownership in repository at 'C:/builds/Tri.BuiV/test-gitlab-cicd'
'C:/builds/Tri.BuiV/test-gitlab-cicd' is owned by:
    'S-1-5-83-1-1989435290-1148643240-1709935003-3943614564'
but the current user is:
    'S-1-5-93-2-1'
To add an exception for this directory, call:
    git config --global --add safe.directory C:/builds/Tri.BuiV/test-gitlab-cicd

I tried:

git config --global --add safe.directory C:/builds/Tri.BuiV/test-gitlab-cicd

But the same error, why?

enter image description here

I tried:

git config --global --add safe.directory C:/builds/Tri.BuiV/test-gitlab-cicd

But get the same issue.

hoefling
  • 59,418
  • 12
  • 147
  • 194
Bùi Văn Trí
  • 55
  • 1
  • 4

3 Answers3

7

A great workaround has been posted on the GitLab forums here. It's to add the following git related environment variables to the config.toml of the affected runner:

[[runners]]
  environment = ["GIT_CONFIG_COUNT=1", "GIT_CONFIG_KEY_0=safe.directory", "GIT_CONFIG_VALUE_0=*"]

This worked for me.

fig
  • 732
  • 1
  • 8
  • 14
  • 1
    Seems to be the most consistent solution. Had issue with submodules and kas, only able to fix that through this solution. – Paiusco Aug 08 '23 at 09:16
4

If the error persists, it probably means your git config --global (which impacts %USERPROFILE%\.gitconfig) does not use the same account as the one running your GitLab CI/CD.

If GitLab runs with a different account, it might try to access a folder initially created by you.
The GitLab pipeline itself would need to include:

git config --global --add safe.directory $CI_PROJECT_DIR

This I what is being automatically added for GitLab 15.8 in MR 3538.

The solstice333 points out in the comments to gitlab-org/gitlab-runner issue 29022, where Kevin Navero explains:

I found a workaround for my case.

To clarify my environment a bit more, I'm using docker-windows executors/runners with powershell on windows-server.
Forget what I mentioned earlier about suspecting git config being run under a different container than git clone/fetch. I do not believe that is accurate anymore.

Gitlab-runner 14.10.1 works for me, so I rolled back to that.

As a result, somehow the "dubious owner" error is pushed to a later point in runtime, within the main .gitlab-ci.yml build script.
This allows me to do git config --global --add safe.directory ... in the pre_build_script, as opposed to any of the other pre_* scripts. I have no idea where or what containers the other pre_* scripts run in.

AFAIK, this version of gitlab-runner does not support the --docker-isolation argument nor does it recognize runners[i].docker.isolation = "hyperv".
The alternative solution to achieve this is to edit the docker daemon json configuration, located in either %userprofile%\.docker\windows-daemon.json or %programdata%\docker\config\daemon.json.
The entry to add is "exec-opts":["isolation=hyperv"].
isolation=hyperv is needed to provision CPUs and memory. Request to provision CPUs and memory is ignored otherwise (in process isolation).
Of course, without provisioning a subset of resources per docker-windows executor, the concern is that multiple docker containers can be spawned on a single host, with too many processes that overwhelm the host with excessive context-switching.

In config.toml, I added the following:

[[runners]]
  ...
  pre_build_script = """
$CI_PROJECT_POSIX_PATH = python -c "from pathlib import Path; >print(Path(r'$CI_PROJECT_DIR').resolve().as_posix())"
echo "> git config --global --add safe.directory >$CI_PROJECT_POSIX_PATH"
git config --global --add safe.directory $CI_PROJECT_POSIX_PATH
"""
  ...

Python3.11 is conveniently baked into the docker image that's specified in the .gitlab-ci.yml for the main build script to run in.$CI_PROJECT_DIR is something like c:\builds\nextest-eng\usa\magnum, all in lowercase.
The "dubious owner" error message from Git suggests doing git config --global --add safe.directory C:/builds/nextest-eng/usa/magnum, and it turns out that this is case-sensitive, even on Windows (I am dumb for overlooking this since git-for-windows is case-sensitive for tracked paths).

Python is used to automate the mapping of $CI_PROJECT_DIR to the exact case-sensitive path, with posix separators, that git-config suggests to use.
In this is example, $CI_PROJECT_POSIX_PATH results in C:/builds/nextest-eng/usa/magnum.
For hours, I was setting c:/builds/nextest-eng/usa/magnum as my safe.directory which was being ignored as a non-matching dirpath b.c. the drive letter was incorrectly lowercase.

This might work for gitlab-runner 15.10 with the non-deprecated pre_get_sources_script hook instead (or the deprecated pre_clone_script), but if it does not use the .gitlab-ci.yml specified image and uses the gitlab-runner-helper instead, then python will not be found and it will fail.
In the interest of time and b.c. gitlab-runner 15.10 does not offer any additional gain that I need right now, I am going to stick with gitlab-runner 14.10.1.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Visiting that MR eventually led me into https://gitlab.com/gitlab-org/gitlab/-/issues/368133#note_1032528491 which led me into details about putting the git-config in the `pre_build_script` discussed in https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section. – solstice333 Apr 13 '23 at 23:31
  • seems like I have to put it at the `pre_get_sources_script` actually... – solstice333 Apr 14 '23 at 00:12
  • hm, well, this did not work for me. I'm shook. I verified that the script is running in the build log prior to fetching the changes and reinit of an existing repo. The `git config --global --add safe.directory ...` command I'm running is equivalent to the one suggested by git in the fatal dubious owner error message. I verified my runner's config.toml once more. Could be that gitlab is transitioning from one docker container to another between running the hook and reinit of existing repo from a mounted volume. I give up. I am going to contact gitlab emergency support. – solstice333 Apr 14 '23 at 06:11
  • @solstice333 OK, don't hesitate to comment here when GitLab support will have answered something conclusive for you. – VonC Apr 14 '23 at 14:33
  • https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29022#note_1353878800 – solstice333 Apr 18 '23 at 05:47
  • 1
    @solstice333 Thank you for your comment. I have included your reference in the answer for more visibility. – VonC Apr 18 '23 at 06:11
0

I had this as well when using an image from mcr.microsoft.com/windows/servercore:ltsc2016 as the executor, but it turned out the reason it was failing was because I was pre-creating the builds folder in the Dockerfile:

RUN mkdir C:\builds\my_repo
WORKDIR C:\builds\my_repo

When I removed this from the Dockerfile, the git dubious ownership error went away.

(The reason I was creating this folder was because I was using the build container in local testing, and wanted the exact same path setup to be present, so I needed the folder locally too. In future I'll create it manually though.)

fig
  • 732
  • 1
  • 8
  • 14
  • FYI I'm still getting the owenership error with a nanoserver build image. I note that the error in that case is appearing earlier in the build. I.e. the nanoserver build doesn't have the build folder pre-created, but fails at the first "Preparing the docker-windows executor" stage, while the servercore was failing at the later "Getting source from Git repository" stage. Will update if I manage to fix this... – fig Apr 25 '23 at 08:54