On 06/25/20 11:50, Daniel P. Berrangé wrote: > On Thu, Jun 25, 2020 at 11:35:54AM +0200, Thomas Huth wrote: >> On 22/06/2020 17.33, Daniel P. Berrangé wrote: >>> We have a number of container images in tests/docker/dockerfiles >>> that are intended to provide well defined environments for doing >>> test builds. We want our CI system to use these containers too. >>> >>> This introduces builds of all of them as the first stage in the >>> CI, so that the built containers are available for later build >>> jobs. The containers are setup to use the GitLab container >>> registry as the cache, so we only pay the penalty of the full >>> build when the dockerfiles change. The main qemu-project/qemu >>> repo is used as a second cache, so that users forking QEMU will >>> see a fast turnaround time on their CI jobs. >>> >>> Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> >>> --- >>> .gitlab-ci.d/containers.yml | 248 ++++++++++++++++++++++++++++++++++++ >>> .gitlab-ci.yml | 3 + >>> 2 files changed, 251 insertions(+) >>> create mode 100644 .gitlab-ci.d/containers.yml >>> >>> diff --git a/.gitlab-ci.d/containers.yml b/.gitlab-ci.d/containers.yml >>> new file mode 100644 >>> index 0000000000..ea1edbb196 >>> --- /dev/null >>> +++ b/.gitlab-ci.d/containers.yml >>> @@ -0,0 +1,248 @@ >>> + >>> + >>> +.container_job_template: &container_job_definition >>> + image: docker:stable >>> + stage: containers >>> + services: >>> + - docker:dind >>> + before_script: >>> + - export TAG="$CI_REGISTRY_IMAGE/ci-$NAME:latest" >>> + - export COMMON_TAG="$CI_REGISTRY/qemu-project/qemu/ci-$NAME:latest" >>> + - docker info >>> + - docker login registry.gitlab.com -u "$CI_REGISTRY_USER" -p >>> "$CI_REGISTRY_PASSWORD" >> >> I can see this in the output: >> >> WARNING! Using --password via the CLI is insecure. Use --password-stdin. >> >> I have to admit that I have only little knowledge about docker ... but could >> there be an issue here? Should this be done in a different way? > > In general the warning is correct, because other users on the same > host can see the process CLI args, and thus the password is susceptible > to snooping. > > In this case, however, it is a non-issue. This is running inside a docker > container already which has a PID namespace. Thus the only things that > can see our password on the CLI are things inside our own container > which already all have the env variable, and processes running in host > OS context which are only things GitLab admins control. So there's no > data leakage to anyone who doesn't already have access to the password > > This particular docker login command is the documented solution: > > https://docs.gitlab.com/ee/ci/docker/using_docker_build.html
( Purely theoretically, we could use a "here string": docker [...] --password-stdin <<< "$CI_REGISTRY_PASSWORD" The password is then not exposed on any process's command line; it's a (bash) shell redirection. (It's not in POSIX.) ) Thanks Laszlo
