Fix Container Scanning for Kubernetes Runners

closes https://gitlab.com/gitlab-org/gitlab-ee/issues/6636 closes https://gitlab.com/gitlab-org/gitlab-ee/issues/5763
2019-03-30 12:05:13 -04:00 · 2019-03-30 12:05:13 -04:00 · 6a25f8bc79
commit 6a25f8bc79
parent 50a1e01fa8
3 changed files with 23 additions and 6 deletions
--- a/changelogs/unreleased/fix-container-scanning-on-k8s.yml
+++ b/changelogs/unreleased/fix-container-scanning-on-k8s.yml
@ -0,0 +1,5 @@
+---
+title: Fix Container Scanning in Kubernetes Runners
+merge_request: 26793
+author:
+type: changed
--- a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
@ -531,8 +531,8 @@ rollout 100%:
    touch clair-whitelist.yml
    retries=0
    echo "Waiting for clair daemon to start"
-    while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-    ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
+    while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
+    ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
  }

  function code_quality() {
@ -800,10 +800,15 @@ rollout 100%:
    kubectl version --client
  }

+  # With the Kubernetes executor, 'localhost' must be used instead
+  # https://docs.gitlab.com/runner/executors/kubernetes.html
  function setup_docker() {
    if ! docker info &>/dev/null; then
      if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
        export DOCKER_HOST='tcp://localhost:2375'
+        export DOCKER_SERVICE="localhost"
+      else
+        export DOCKER_SERVICE="docker"
      fi
    fi
  }
--- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
@ -17,23 +17,30 @@ container_scanning:
    #
    # Container Scanning deals with Docker images only so no need to import the project's Git repository:
    GIT_STRATEGY: none
+    # Services and containers running in the same Kubernetes pod are all sharing the same localhost address
+    # https://docs.gitlab.com/runner/executors/kubernetes.html
+    DOCKER_SERVICE: docker
+    DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/
+    # https://hub.docker.com/r/arminc/clair-local-scan/tags
+    CLAIR_LOCAL_SCAN_VERSION: v2.0.6
  allow_failure: true
  services:
    - docker:stable-dind
  script:
+    - if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then { export DOCKER_SERVICE="localhost" ; export DOCKER_HOST="tcp://${DOCKER_SERVICE}:2375" ; } fi
    - docker run -d --name db arminc/clair-db:latest
-    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.6
+    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
    - apk add -U wget ca-certificates
    - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    - mv clair-scanner_linux_amd64 clair-scanner
    - chmod +x clair-scanner
    - touch clair-whitelist.yml
-    - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
+    - while( ! wget -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; done
    - retries=0
    - echo "Waiting for clair daemon to start"
-    - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
+    - while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
+    - ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json