[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH RFC 2/3] gitlab: build all container images during CI
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: [PATCH RFC 2/3] gitlab: build all container images during CI |
|
Date: |
Thu, 25 Jun 2020 10:50:41 +0100 |
|
User-agent: |
Mutt/1.14.0 (2020-05-02) |
On Thu, Jun 25, 2020 at 11:35:54AM +0200, Thomas Huth wrote:
> On 22/06/2020 17.33, Daniel P. Berrangé wrote:
> > We have a number of container images in tests/docker/dockerfiles
> > that are intended to provide well defined environments for doing
> > test builds. We want our CI system to use these containers too.
> >
> > This introduces builds of all of them as the first stage in the
> > CI, so that the built containers are available for later build
> > jobs. The containers are setup to use the GitLab container
> > registry as the cache, so we only pay the penalty of the full
> > build when the dockerfiles change. The main qemu-project/qemu
> > repo is used as a second cache, so that users forking QEMU will
> > see a fast turnaround time on their CI jobs.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > .gitlab-ci.d/containers.yml | 248 ++++++++++++++++++++++++++++++++++++
> > .gitlab-ci.yml | 3 +
> > 2 files changed, 251 insertions(+)
> > create mode 100644 .gitlab-ci.d/containers.yml
> >
> > diff --git a/.gitlab-ci.d/containers.yml b/.gitlab-ci.d/containers.yml
> > new file mode 100644
> > index 0000000000..ea1edbb196
> > --- /dev/null
> > +++ b/.gitlab-ci.d/containers.yml
> > @@ -0,0 +1,248 @@
> > +
> > +
> > +.container_job_template: &container_job_definition
> > + image: docker:stable
> > + stage: containers
> > + services:
> > + - docker:dind
> > + before_script:
> > + - export TAG="$CI_REGISTRY_IMAGE/ci-$NAME:latest"
> > + - export COMMON_TAG="$CI_REGISTRY/qemu-project/qemu/ci-$NAME:latest"
> > + - docker info
> > + - docker login registry.gitlab.com -u "$CI_REGISTRY_USER" -p
> > "$CI_REGISTRY_PASSWORD"
>
> I can see this in the output:
>
> WARNING! Using --password via the CLI is insecure. Use --password-stdin.
>
> I have to admit that I have only little knowledge about docker ... but could
> there be an issue here? Should this be done in a different way?
In general the warning is correct, because other users on the same
host can see the process CLI args, and thus the password is susceptible
to snooping.
In this case, however, it is a non-issue. This is running inside a docker
container already which has a PID namespace. Thus the only things that
can see our password on the CLI are things inside our own container
which already all have the env variable, and processes running in host
OS context which are only things GitLab admins control. So there's no
data leakage to anyone who doesn't already have access to the password
This particular docker login command is the documented solution:
https://docs.gitlab.com/ee/ci/docker/using_docker_build.html
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Re: [PATCH RFC 2/3] gitlab: build all container images during CI, Daniel P . Berrangé, 2020/06/25
Re: [PATCH RFC 2/3] gitlab: build all container images during CI, Thomas Huth, 2020/06/25
Re: [PATCH RFC 0/3] gitlab: build containers to use in build jobs, Alex Bennée, 2020/06/25
Re: [PATCH RFC 0/3] gitlab: build containers to use in build jobs, Thomas Huth, 2020/06/25