[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 4/8] run-coverity-scan: use docker.py
From: |
Paolo Bonzini |
Subject: |
[PATCH 4/8] run-coverity-scan: use docker.py |
Date: |
Wed, 22 Apr 2020 13:23:47 -0400 |
Our trusted docker wrapper allows run-coverity-scan to run with both
docker and podman.
For the "run" phase this is transparent; for the "build" phase however
scripts are replaced with a bind mount (-v). This is not an issue
because the secret option is meant for secrets stored globally in the
system and bind mounts are a valid substitute for secrets that are known
to whoever builds the container.
This also removes the need for DOCKER_BUILDKIT=1.
Signed-off-by: Paolo Bonzini <address@hidden>
---
Later in the series, the secret will not be used in "docker build"
at all.
scripts/coverity-scan/coverity-scan.docker | 2 +-
scripts/coverity-scan/run-coverity-scan | 23 ++++++++++++----------
2 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/scripts/coverity-scan/coverity-scan.docker
b/scripts/coverity-scan/coverity-scan.docker
index a4f64d1283..6f0460b66c 100644
--- a/scripts/coverity-scan/coverity-scan.docker
+++ b/scripts/coverity-scan/coverity-scan.docker
@@ -128,4 +128,4 @@ RUN rpm -q $PACKAGES | sort > /packages.txt
ENV PATH $PATH:/usr/libexec/python3-sphinx/
ENV COVERITY_TOOL_BASE=/coverity-tools
COPY run-coverity-scan run-coverity-scan
-RUN --mount=type=secret,id=coverity.token,required ./run-coverity-scan
--update-tools-only --tokenfile /run/secrets/coverity.token
+RUN ./run-coverity-scan --update-tools-only --tokenfile /work/token
diff --git a/scripts/coverity-scan/run-coverity-scan
b/scripts/coverity-scan/run-coverity-scan
index f7325b570c..ae1fc7ae76 100755
--- a/scripts/coverity-scan/run-coverity-scan
+++ b/scripts/coverity-scan/run-coverity-scan
@@ -197,6 +197,12 @@ while [ "$#" -ge 1 ]; do
;;
--docker)
DOCKER=yes
+ DOCKER_ENGINE=auto
+ shift
+ ;;
+ --docker=*)
+ DOCKER=yes
+ DOCKER_ENGINE=${1#--docker=}
shift
;;
*)
@@ -283,9 +289,8 @@ if [ "$DOCKER" = yes ]; then
# build docker container including the coverity-scan tools
# Put the Coverity token into a temporary file that only
# we have read access to, and then pass it to docker build
- # using --secret. This requires at least Docker 18.09.
- # Mostly what we are trying to do here is ensure we don't leak
- # the token into the Docker image.
+ # using a volume. A volume is enough for the token not to
+ # leak into the Docker image.
umask 077
SECRETDIR=$(mktemp -d)
if [ -z "$SECRETDIR" ]; then
@@ -300,12 +305,10 @@ if [ "$DOCKER" = yes ]; then
# TODO: This re-downloads the tools every time, rather than
# caching and reusing the image produced with the downloaded tools.
# Not sure why.
- # TODO: how do you get 'docker build' to print the output of the
- # commands it is running to its stdout? This would be useful for debug.
- DOCKER_BUILDKIT=1 docker build -t coverity-scanner \
- --secret id=coverity.token,src="$SECRET" \
- -f scripts/coverity-scan/coverity-scan.docker \
- scripts/coverity-scan
+ tests/docker/docker.py --engine ${DOCKER_ENGINE} build \
+ -t coverity-scanner -f
scripts/coverity-scan/coverity-scan.docker \
+ -v "$SECRETDIR:/work" \
+ --extra-files scripts/coverity-scan/run-coverity-scan
echo "Archiving sources to be analyzed..."
./scripts/archive-source.sh "$SECRETDIR/qemu-sources.tgz"
if [ "$DRYRUN" = yes ]; then
@@ -323,7 +326,7 @@ if [ "$DOCKER" = yes ]; then
# Arrange for this docker run to get access to the sources with -v.
# We pass through all the configuration from the outer script to the inner.
export COVERITY_EMAIL COVERITY_BUILD_CMD
- docker run -it --env COVERITY_EMAIL --env COVERITY_BUILD_CMD \
+ tests/docker/docker.py run -it --env COVERITY_EMAIL --env
COVERITY_BUILD_CMD \
-v "$SECRETDIR:/work" coverity-scanner \
./run-coverity-scan --version "$VERSION" \
--description "$DESCRIPTION" $DRYRUNARG --tokenfile /work/token \
--
2.18.2
- [PATCH 0/8] run-coverity-scan: misc improvements, especially for docker mode, Paolo Bonzini, 2020/04/22
- [PATCH 6/8] run-coverity-scan: use --no-update-tools in docker run, Paolo Bonzini, 2020/04/22
- [PATCH 7/8] run-coverity-scan: download tools outside the container, Paolo Bonzini, 2020/04/22
- [PATCH 1/8] docker.py/build: support -t and -f arguments, Paolo Bonzini, 2020/04/22
- [PATCH 4/8] run-coverity-scan: use docker.py,
Paolo Bonzini <=
- [PATCH 2/8] docker.py/build: support binary files in --extra-files, Paolo Bonzini, 2020/04/22
- [PATCH 8/8] run-coverity-scan: support --update-tools-only --docker, Paolo Bonzini, 2020/04/22
- [PATCH 3/8] run-coverity-scan: get Coverity token and email from special git config section, Paolo Bonzini, 2020/04/22
- [PATCH 5/8] run-coverity-scan: add --no-update-tools option, Paolo Bonzini, 2020/04/22