Commit Graph

28 Commits

Author SHA1 Message Date
Roland Dobai
e26de66065 Merge branch 'contrib/github_pr_12637_v5.1' into 'release/v5.1'
Dockerfile with variable depth parameter (GitHub PR) (v5.1)

See merge request espressif/esp-idf!27830
2023-12-11 23:09:50 +08:00
timoxd7
b2250f31b9 feat(docker): Add Dockerfile argument for variable clone depth
Closes https://github.com/espressif/esp-idf/pull/12637
2023-12-11 09:03:46 +01:00
Ivan Grokhotkov
850bf2b156 feat(tools): update qemu to esp-develop-8.1.3-20231206
https://github.com/espressif/qemu/releases/tag/esp-develop-8.1.3-20231206
2023-12-11 10:35:35 +07:00
Frantisek Hrbata
99f9dd4c07 feat(docker): allow to add paths into git's safe.directory
With 8959555cee7e[1] ("setup_git_directory(): add an owner check for the top..")
git added an ownership check of the git directory and refuses to
run any git commands, even parsing the config file, if the git directory
is not owned by the current user. The "fatal: detected dubious ownership in repository"
is reported.

This fixes CVE-2022-24765[2], which allows to compromise user account. On a
multi-user system or e.g. on a shared file system, one user may create a "rogue"
git repository with e.g. core.fsmonitor set to an arbitrary command. Other user
may unwillingly execute this command by running e.g. git-diff or
git-status within the "rogue" git repository, which may be in one of the parent
directories. If e.g. PS1 is set to display information about a git
repository in CWD, as suggested in Git in Bash[3], the user do not need to run
any git command to trigger this, just entering some subdirectory under
this "rogue" git repository is enough, because the git command will be
started transparently through the script used in PS1. The core.fsmonitor
can be set to arbitrary command. It's purpose is to help git to identify changed files
and speed up the scanning for changed files.

rogue
├── .git     # owned by user1
└── dir1     # owned by user2
    ├── dir2 # owned by user2
    └── .git # owned by user2

user1 sets core.fsmonitor for git repository in rogue directory
$ git config --add core.fsmonitor "bash -c 'rm -rf \$HOME'"

user2 enters dir1 and runs e.g. git diff and triggers the core.fsmonitor command.

The ownership check may cause problems when running git commands in
ESP-IDF Docker container. For example user may run the container as
root, but the mounted project may be owned by a particular user.

In this case git will refuse to execute any git command within the
"/project" directory, because it's not owned by root. To overcome this,
git allows to set safe.directories, for which the ownership check is
skipped. The security check may be completely disabled by setting
safe.directories to "*". This solution was proposed in PR 12636[4], but
it would allow make it possible to exploit this vulnerability again.

This fix allows user to specify git's safe.directory in IDF_GIT_SAFE_DIR
environmental variable, which may be set during container startup.

The IDF_GIT_SAFE_DIR has same format as PATH and multiple directories can be
specified by using a ":" separator. To entirely disable this git security check
within the container, user may set IDF_GIT_SAFE_DIR='*'. This might be
heplfull in CI.

Closes https://github.com/espressif/esp-idf/pull/12636

[1] - 8959555cee
[2] - https://nvd.nist.gov/vuln/detail/cve-2022-24765
[3] - https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash
[4] - https://github.com/espressif/esp-idf/pull/12636

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-12-01 08:23:16 +01:00
Roland Dobai
36cb0b29b2 Merge branch 'bugfix/docker_safe_repo_v5.1' into 'release/v5.1'
fix(docker): set esp-idf repo as safe directory (v5.1)

See merge request espressif/esp-idf!26804
2023-11-16 18:55:32 +08:00
Frantisek Hrbata
6f256958d1 fix(tools/docker): set esp-idf repo as safe directory
In our docker docs[1] we recommend to start docker as a non-root user. This has
a side effect, because the esp-idf repo in docker image is owned by
root. Git by default refuses even to parse a config file if the repo is
owned by other than current user. As a result the version detection in
cmake fails[2] and the app version is set to "HEAD-HASH-NOTFOUND".
This adds esp-idf repo to the system git config as a safe one.

[1] https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/
    tools/idf-docker-image.html#building-a-project-with-cmake
[2] https://github.com/espressif/esp-idf/issues/12389#issuecomment-1764268773

Closes https://github.com/espressif/esp-idf/issues/12389

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-10-31 16:24:10 +01:00
Anton Maklakov
be79c75b64 feat(tools): Add QEMU 8.0.0_20230522 to tools.json
Process wildcards in the install and download lists of idf_tools
    Fix the install and download handlers to get common behaviour
2023-10-11 12:28:47 +07:00
Anton Maklakov
8cdc795435 feat(tools/docker): update QEMU to 8.0.0 version, with xtensa and riscv32 chip support 2023-09-18 13:02:36 +07:00
Peter Dragun
16d033a919 tools: Docker: add build-essentials needed for linux targets
Closes https://github.com/espressif/esp-idf/pull/10772
2023-02-28 11:27:25 +01:00
Anton Maklakov
e2a20e1631 tools: Docker: add QEMU with xtensa chip support
Closes https://github.com/espressif/esp-idf-ci-action/issues/22
2022-11-01 09:07:04 +07:00
Ivan Grokhotkov
b679c95ddc
tools: Docker: remove libpython2.7
libpython2.7 was added to the container to allow running GDB built
with Python 2.7 support and distributed as part of the cross-compiler
toolchain.

Now that we have a new release of GDB which works with Python 3.x,
the GDB shipped with the cross-compiler is no longer used. Removing
libpython2.7 should reduce the image size.

This reverts commit be0372b1db.
2022-08-22 13:25:09 +02:00
Tim Pambor
dba5ff8b3a Add git-lfs to docker container 2022-08-16 09:33:31 +02:00
Roland Dobai
de37f9dc33 Tools: Disable Python constraint files with environment variable
Constraint files can be disabled with environment variable as well which
is useful when one uses the install/export scripts instead of
idf_tools.py directly. This is option is useful for offline build as
well.

Closes https://github.com/espressif/esp-idf/issues/9263
2022-07-14 11:25:29 +02:00
Jakob Hasse
c8f28dc57f feat (cmock): add ruby and libbsd-dev to docker image
Closes https://github.com/espressif/esp-idf/issues/9342
2022-07-13 16:02:15 +08:00
Roland Dobai
ed795c86df Tools: Use built-in venv instead of virtualenv for creating Python environments 2022-05-28 06:43:14 +00:00
Ivan Grokhotkov
212cbc3fb6
tools/docker: add README.md file to be displayed on Docker Hub
Closes https://github.com/espressif/esp-idf/issues/7933
2022-05-26 03:44:13 +02:00
Ivan Grokhotkov
6dc52d4425
ci: build and push Docker images in Github actions, add arm64 platform
Replaces the previously used Docker Hub autobuild infrastructure.
This allows for more flexible configuration of the build process,
at the expense of some extra maintenance of CI workflow files
required.
2022-05-26 03:44:13 +02:00
Ivan Grokhotkov
a8904787fa
tools/docker: add IDF_CLONE_SHALLOW and IDF_INSTALL_TARGETS arguments
These two arguments can be used to reduce the size of the Docker
image:

- Setting IDF_CLONE_SHALLOW enables shallow cloning.
- Setting IDF_INSTALL_TARGETS to the comma separated list of targets
  results in toolchains being installed only for these targets.
2022-05-26 03:31:22 +02:00
Roland Dobai
3f385b46cc Revert "Install always latest version of git"
This reverts commit 6d2abc2332.
2022-04-14 15:26:40 +02:00
Tomas Sebestik
6d2abc2332 Install always latest version of git 2022-03-30 14:41:41 +02:00
Tomas Sebestik
d22795ea56 Update Dockerfile working on both x64 / ARM
Closes https://github.com/espressif/esp-idf/issues/6730
2021-10-08 17:11:59 +08:00
Tomas Rezucha
57b243a699 Update Ubuntu to v20.04 2021-08-11 20:34:02 +08:00
Martin Stejskal
be0372b1db tools/docker: Add libpython2.7 in order to satisfy GDB dependencies
It was not possible to run xtensa-esp32-elf-gdb from container due to
missing libpython2.7 library.

Merges https://github.com/espressif/esp-idf/pull/5817
Closes https://github.com/espressif/esp-idf/issues/5284
2020-09-02 18:15:52 +02:00
Ivan Grokhotkov
e94288da31 global: use '/usr/bin/env bash' instead of '/usr/bin/bash' in shebangs
Using the method from @cemeyer
(https://github.com/espressif/esp-idf/pull/3166):

find . -name \*.sh -exec sed -i "" -e 's|^#!.*bin/bash|#!/usr/bin/env bash|' {} +

Closes https://github.com/espressif/esp-idf/pull/3166.
2020-04-03 01:10:02 +02:00
Ivan Grokhotkov
287d0039ff tools/docker: enable ccache by default 2020-01-24 19:12:22 +01:00
Ivan Grokhotkov
54eed09d70 tools/docker: install CMake version provided in tools.json
Closes https://github.com/espressif/esp-idf/issues/4644
Closes IDFGH-2559
2020-01-24 19:11:56 +01:00
Ivan Grokhotkov
8d527243d9 tools/docker: use correct branch and commit of IDF when building 2019-11-06 17:58:23 +01:00
Ivan Grokhotkov
dd443f61e8 tools: add Dockerfile 2019-07-18 06:18:04 +00:00