Safe Directory not working as expected

[jjarokergc]

Describe the Bug

The error "Path [...] exists and is not the desired repository" appeared in my puppet logs on a previously-working manifest for the installation of Dokuwiki. That resource is shown here:
https://github.com/jjarokergc/puppet-dokuwiki/blob/61c04b113525a3a10ac3b6c1d91eaa37df36531c/manifests/init.pp#L63

  vcsrepo { $www_root :
    ensure             => 'present',
    provider           => 'git',
    trust_server_cert  => true,
    source             => $code_source[repo][url],
    revision           => $code_source[repo][revision],
    depth              => 1,
    user               => $provisioning[user],
    require            => File[$vhost_dir],
    keep_local_changes => true,
    safe_directory     => true, # Response to CVE-2022-24765
  }

This error appeared after updating git to version 2.25.1 on Ubuntu, which backported the CVE-2022-24765 bug fix, introducing this failure. I followed the discussion and suggestions shown in Issue #535 and added the safe_directory parameter in the above example. I would appreciate any suggestions on how to get this module working again.

Expected Behavior

I was expecting the git update to proceed as before but the "change from 'absent' to 'present' failed" problem persists.

Environment

lsb_release -a

Description:    Ubuntu 20.04.5 LTS
Release:        20.04
Codename:       focal

On client: puppet agent --version
7.23.0

On master: puppetserver --version
puppetserver version: 7.9.5

Puppetfile.r10k
mod 'puppetlabs-vcsrepo', '5.4.0'

Additional Context

puppet agent -t --debug

Debug: Executing: 'git --version'
Debug: Executing: 'git -c http.sslVerify=false config --get remote.origin.url'
Debug: Executing: 'git --version'
Debug: Executing: 'git -c http.sslVerify=false config --global --get-all safe.directory'
Notice: Vcsrepo[/var/www/yurevichi.org/htdocs](provider=git): Adding '/var/www/yurevichi.org/htdocs' to safe directory list
Debug: Executing: 'git --version'
Debug: Executing: 'git -c http.sslVerify=false config --global --add safe.directory /var/www/yurevichi.org/htdocs'
Debug: Executing: 'git --version'
Debug: Executing: 'git -c http.sslVerify=false config --get remote.origin.url'
Error: Path /var/www/yurevichi.org/htdocs exists and is not the desired repository.
Error: /Stage[main]/Dokuwiki/Vcsrepo[/var/www/yurevichi.org/htdocs]/ensure: change from 'absent' to 'present' failed: Path /var/www/yurevichi.org/htdocs exists and is not the desired repository.
Notice: /Stage[main]/Dokuwiki/File[/var/www/yurevichi.org/htdocs/robots.txt]: Dependency Vcsrepo[/var/www/yurevichi.org/htdocs] has failures: true

[jjarokergc]

There is additional odd behavior that was observed while troubleshooting:

Removing the "safe_directory" directive in the above example (such as by prefixing a # to make it into a comment) results in VCSREPO giving notices that the directory has been alternatively removed and then added each time puppet agent -t is run.

...
Notice: Vcsrepo[/var/www/yurevichi.org/htdocs](provider=git): Removing '/var/www/yurevichi.org/htdocs' from safe directory list
...
Notice: Vcsrepo[/var/www/yurevichi.org/htdocs](provider=git): Adding '/var/www/yurevichi.org/htdocs' to safe directory list
...
Notice: Vcsrepo[/var/www/yurevichi.org/htdocs](provider=git): Removing '/var/www/yurevichi.org/htdocs' from safe directory list
...

[martijndegouw]

We have the exact same issue since a couple of weeks.

We are using vcsrepo version v5.0.0 on Debian 11.6, using git version 2.39.2.

[jjarokergc]

The "safe directory" functionality created many problems and I removed it.

The solution to my problem was deleting the git directory and recreating it through puppet. I use the "user" parameter to checkout as a non-root user.

Here is an example that works for me (after deleting the git directory on the host):

https://github.com/jjarokergc/puppet-dokuwiki/blob/e4e5582473814cf04c07d68f24d1c331eab81fad/manifests/init.pp

[martijndegouw]

I get this issue without using the safe directory functionality at all. I have no idea why this now triggers.

All I know now, after some debugging, is that at this point provider.exists is false:

puppetlabs-vcsrepo/lib/puppet/type/vcsrepo.rb

Line 133 in 0c7d183

if provider.exists? && !@resource.value(:force)

So the if jumps to provider.create, which returns this error.

Error: Path /srv/installer exists and is not the desired repository.
/opt/puppetlabs/puppet/cache/lib/puppet/provider/vcsrepo.rb:11:in `check_force'
/opt/puppetlabs/puppet/cache/lib/puppet/provider/vcsrepo/git.rb:12:in `create'
/opt/puppetlabs/puppet/cache/lib/puppet/type/vcsrepo.rb:123:in `block (3 levels) in <top (required)>'

I'll try to debug it some more, but I'm not that familiar with the ruby syntax.

[pelacables]

Anyone got a fix for this?
I'm experiencing this issue with vcsrepo 6.1.0 with and without safe directory parameter.

[pelacables]

After some debugging we realized that the issue was comming a wrong syntax in /etc/gitconfig (in case this helps others)