Fix Git safe.directory errors for Kubernetes UID mismatch

[Copilot]

Git operations fail with "dubious ownership" errors when containers run under different UIDs in Kubernetes (via runAsUser, fsGroup, or OpenShift random UIDs) than the file ownership baked into images.

Changes

Shared entrypoint script (dockerfiles/git-safe-entrypoint.sh)

• Configures git config --global --add safe.directory at runtime for all service repo paths
• Only runs if git is installed; passes through to original CMD via exec "$@"

18 Dockerfiles updated with two-layer protection:

1. Build-time: After repo extraction/cloning:

   RUN chown -R app:app /edx/app/service/repo
   COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
   RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
   
   USER app
   RUN git config --global --add safe.directory /edx/app/service/repo

2. Runtime: Entrypoint handles dynamic UID changes:

   ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
   CMD <original-command>

Affected services: edx-platform, course-discovery, ecommerce, credentials, xqueue, codejail-service, commerce-coordinator, edx-analytics-{dashboard,data-api}, edx-{exams,notes-api}, enterprise-{access,catalog,subsidy}, license-manager, portal-designer, program-intent-engagement, registrar

Notes

• Backward compatible: ENTRYPOINT preserves existing CMD behavior
• edx-platform.Dockerfile already had safe.directory config but ran as root; now runs as app user
• enterprise-* services extract tarballs into WORKDIR with --strip-components=1, so git repos are at /edx/app/service, not /edx/app/service/service

Original prompt

We are encountering Git "dubious ownership" / safe.directory errors for applications that are built and deployed as Docker containers running in Kubernetes. These applications typically:

• Clone or include Git repositories (e.g., edx-platform or other edx services) in their Docker images, and/or
• Run git commands at image build time or at container runtime (e.g., maintenance scripts, migrations, or debug tooling).

In Kubernetes environments, additional factors like runAsUser, fsGroup, or OpenShift-style random UIDs mean that the process user inside the container may not match the ownership of the Git working directory baked into the image, triggering Git's safe.directory checks.

We want a systematic, global fix in our Dockerfile repos so that containerized apps don't hit Git safe.directory / "dubious ownership" failures at build or runtime.

Target repositories:

• edx/internal-dockerfiles (internal images)
• edx/public-dockerfiles (public images used for development and deployment of edx.org)

Constraints/requirements:

1. Make changes in the Dockerfiles and any associated entrypoint scripts so that:

   • Git working directories inside the containers are owned by the same user that runs git commands.
   • Git is configured with appropriate safe.directory entries for those working directories.

2. The fix should cover both:

   • Git usage during docker build (e.g., when the Dockerfile clones a repo and runs git operations), and
   • Git usage at runtime inside the running container (if applicable), where container security context may change the effective UID.

3. Implementation strategy in Dockerfiles:

   a. Ownership consistency

   • When a Dockerfile clones or copies a Git repo into the image (e.g., /edx/app/edxapp/edx-platform), ensure that directory is chowned to the intended app user that will run git and the app process.

   • Example pattern (to be adapted per image):

     RUN git clone https://github.com/edx/edx-platform.git /edx/app/edxapp/edx-platform \ 
         && chown -R edxapp:edxapp /edx/app/edxapp

   b. Define and use a consistent app user

   • Ensure each Dockerfile that needs git operations defines (or uses) an appropriate USER and that git operations are run as that user where possible.

   c. Configure git safe.directory

   • For images where git is installed and repositories may be manipulated (build time or runtime), configure:

     USER edxapp
     RUN git config --global --add safe.directory /edx/app/edxapp/edx-platform

   • Use the correct user and path for each image (edxapp, ecommerce, discovery, etc.).

4. Runtime handling (for Kubernetes):

   • If containers may run with a different UID than the image default (e.g., via runAsUser, fsGroup, or OpenShift), add a small entrypoint script that runs on container start to configure git config --global --add safe.directory <repo-dir> for the current user before launching the app.

   • Example pattern (to be adapted and shared if possible):

     #!/usr/bin/env bash
     set -e
     
     if command -v git >/dev/null 2>&1; then
       git config --global --add safe.directory /edx/app/edxapp/edx-platform || true
       # Additional repos as needed
     fi
     
     exec "$@"

   • Update Dockerfiles to COPY this entrypoint script and use it as ENTRYPOINT, preserving the existing CMD.

5. Scope for each repo:

   • edx/internal-dockerfiles: Identify Dockerfiles that include Git repos and/or use git, then apply the user/ownership/safe.directory patterns above.
   • edx/public-dockerfiles: Similarly, for public images used for edx.org development and deployment, apply the same patterns using the appropriate app users and paths.

6. Style and compatibility:

   • Follow existing conventions in each repo for:
     • User names and UIDs.
     • Directory layout (e.g., /edx/app/<app>/<repo> or other standard paths).
     • Entrypoint and CMD patterns.
   • Ensure changes are backward compatible: containers should still start and behave as before, with the only difference being that git now works without safe.directory errors.

Deliverables:

• A PR in edx/internal-dockerfiles that:
  • Updates relevant Dockerfiles and/or adds entrypoint scripts to enforce consistent ownership and git safe.directory configuration for any Git working directories.
• A PR in edx/public-dockerfiles that does the same for public images.
• Clear PR descriptions summarizing the Git "dubious ownership" / safe.directory problem in Kubernetes-deployed containers and how the Dockerfile and entrypoint changes mitigate it.

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.