Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
73673983
Commit
73673983
authored
Apr 01, 2019
by
GitLab Bot
Browse files
Options
Browse Files
Download
Plain Diff
Automatic merge of gitlab-org/gitlab-ce master
parents
276537bd
a0272056
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
23 additions
and
6 deletions
+23
-6
changelogs/unreleased/fix-container-scanning-on-k8s.yml
changelogs/unreleased/fix-container-scanning-on-k8s.yml
+5
-0
lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
+7
-2
lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
...ab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
+11
-4
No files found.
changelogs/unreleased/fix-container-scanning-on-k8s.yml
0 → 100644
View file @
73673983
---
title
:
Fix Container Scanning in Kubernetes Runners
merge_request
:
26793
author
:
type
:
changed
lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
View file @
73673983
...
@@ -531,8 +531,8 @@ rollout 100%:
...
@@ -531,8 +531,8 @@ rollout 100%:
touch clair-whitelist.yml
touch clair-whitelist.yml
retries=0
retries=0
echo "Waiting for clair daemon to start"
echo "Waiting for clair daemon to start"
while( ! wget -T 10 -q -O /dev/null http://
docker
:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
while( ! wget -T 10 -q -O /dev/null http://
${DOCKER_SERVICE}
:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
./clair-scanner -c http://
docker
:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
./clair-scanner -c http://
${DOCKER_SERVICE}
:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
}
}
function code_quality() {
function code_quality() {
...
@@ -800,10 +800,15 @@ rollout 100%:
...
@@ -800,10 +800,15 @@ rollout 100%:
kubectl version --client
kubectl version --client
}
}
# With the Kubernetes executor, 'localhost' must be used instead
# https://docs.gitlab.com/runner/executors/kubernetes.html
function setup_docker() {
function setup_docker() {
if ! docker info &>/dev/null; then
if ! docker info &>/dev/null; then
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
export DOCKER_HOST='tcp://localhost:2375'
export DOCKER_HOST='tcp://localhost:2375'
export DOCKER_SERVICE="localhost"
else
export DOCKER_SERVICE="docker"
fi
fi
fi
fi
}
}
...
...
lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
View file @
73673983
...
@@ -17,23 +17,30 @@ container_scanning:
...
@@ -17,23 +17,30 @@ container_scanning:
#
#
# Container Scanning deals with Docker images only so no need to import the project's Git repository:
# Container Scanning deals with Docker images only so no need to import the project's Git repository:
GIT_STRATEGY
:
none
GIT_STRATEGY
:
none
# Services and containers running in the same Kubernetes pod are all sharing the same localhost address
# https://docs.gitlab.com/runner/executors/kubernetes.html
DOCKER_SERVICE
:
docker
DOCKER_HOST
:
tcp://${DOCKER_SERVICE}:2375/
# https://hub.docker.com/r/arminc/clair-local-scan/tags
CLAIR_LOCAL_SCAN_VERSION
:
v2.0.6
allow_failure
:
true
allow_failure
:
true
services
:
services
:
-
docker:stable-dind
-
docker:stable-dind
script
:
script
:
-
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then { export DOCKER_SERVICE="localhost" ; export DOCKER_HOST="tcp://${DOCKER_SERVICE}:2375" ; } fi
-
docker run -d --name db arminc/clair-db:latest
-
docker run -d --name db arminc/clair-db:latest
-
docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:
v2.0.6
-
docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:
${CLAIR_LOCAL_SCAN_VERSION}
-
apk add -U wget ca-certificates
-
apk add -U wget ca-certificates
-
docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
-
docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
-
wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
-
wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
-
mv clair-scanner_linux_amd64 clair-scanner
-
mv clair-scanner_linux_amd64 clair-scanner
-
chmod +x clair-scanner
-
chmod +x clair-scanner
-
touch clair-whitelist.yml
-
touch clair-whitelist.yml
-
while( ! wget -q -O /dev/null http://
docker
:6060/v1/namespaces ) ; do sleep 1 ; done
-
while( ! wget -q -O /dev/null http://
${DOCKER_SERVICE}
:6060/v1/namespaces ) ; do sleep 1 ; done
-
retries=0
-
retries=0
-
echo "Waiting for clair daemon to start"
-
echo "Waiting for clair daemon to start"
-
while( ! wget -T 10 -q -O /dev/null http://
docker
:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-
while( ! wget -T 10 -q -O /dev/null http://
${DOCKER_SERVICE}
:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-
./clair-scanner -c http://
docker
:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} ||
true
-
./clair-scanner -c http://
${DOCKER_SERVICE}
:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} ||
true
artifacts
:
artifacts
:
reports
:
reports
:
container_scanning
:
gl-container-scanning-report.json
container_scanning
:
gl-container-scanning-report.json
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment