[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH RFC 2/3] gitlab: build all container images during CI
From: |
Laszlo Ersek |
Subject: |
Re: [PATCH RFC 2/3] gitlab: build all container images during CI |
Date: |
Thu, 25 Jun 2020 17:57:39 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1 |
On 06/25/20 11:50, Daniel P. Berrangé wrote:
> On Thu, Jun 25, 2020 at 11:35:54AM +0200, Thomas Huth wrote:
>> On 22/06/2020 17.33, Daniel P. Berrangé wrote:
>>> We have a number of container images in tests/docker/dockerfiles
>>> that are intended to provide well defined environments for doing
>>> test builds. We want our CI system to use these containers too.
>>>
>>> This introduces builds of all of them as the first stage in the
>>> CI, so that the built containers are available for later build
>>> jobs. The containers are setup to use the GitLab container
>>> registry as the cache, so we only pay the penalty of the full
>>> build when the dockerfiles change. The main qemu-project/qemu
>>> repo is used as a second cache, so that users forking QEMU will
>>> see a fast turnaround time on their CI jobs.
>>>
>>> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
>>> ---
>>> .gitlab-ci.d/containers.yml | 248 ++++++++++++++++++++++++++++++++++++
>>> .gitlab-ci.yml | 3 +
>>> 2 files changed, 251 insertions(+)
>>> create mode 100644 .gitlab-ci.d/containers.yml
>>>
>>> diff --git a/.gitlab-ci.d/containers.yml b/.gitlab-ci.d/containers.yml
>>> new file mode 100644
>>> index 0000000000..ea1edbb196
>>> --- /dev/null
>>> +++ b/.gitlab-ci.d/containers.yml
>>> @@ -0,0 +1,248 @@
>>> +
>>> +
>>> +.container_job_template: &container_job_definition
>>> + image: docker:stable
>>> + stage: containers
>>> + services:
>>> + - docker:dind
>>> + before_script:
>>> + - export TAG="$CI_REGISTRY_IMAGE/ci-$NAME:latest"
>>> + - export COMMON_TAG="$CI_REGISTRY/qemu-project/qemu/ci-$NAME:latest"
>>> + - docker info
>>> + - docker login registry.gitlab.com -u "$CI_REGISTRY_USER" -p
>>> "$CI_REGISTRY_PASSWORD"
>>
>> I can see this in the output:
>>
>> WARNING! Using --password via the CLI is insecure. Use --password-stdin.
>>
>> I have to admit that I have only little knowledge about docker ... but could
>> there be an issue here? Should this be done in a different way?
>
> In general the warning is correct, because other users on the same
> host can see the process CLI args, and thus the password is susceptible
> to snooping.
>
> In this case, however, it is a non-issue. This is running inside a docker
> container already which has a PID namespace. Thus the only things that
> can see our password on the CLI are things inside our own container
> which already all have the env variable, and processes running in host
> OS context which are only things GitLab admins control. So there's no
> data leakage to anyone who doesn't already have access to the password
>
> This particular docker login command is the documented solution:
>
> https://docs.gitlab.com/ee/ci/docker/using_docker_build.html
(
Purely theoretically, we could use a "here string":
docker [...] --password-stdin <<< "$CI_REGISTRY_PASSWORD"
The password is then not exposed on any process's command line; it's a
(bash) shell redirection. (It's not in POSIX.)
)
Thanks
Laszlo
Re: [PATCH RFC 2/3] gitlab: build all container images during CI, Daniel P . Berrangé, 2020/06/25
Re: [PATCH RFC 2/3] gitlab: build all container images during CI, Thomas Huth, 2020/06/25
Re: [PATCH RFC 0/3] gitlab: build containers to use in build jobs, Alex Bennée, 2020/06/25
Re: [PATCH RFC 0/3] gitlab: build containers to use in build jobs, Thomas Huth, 2020/06/25