4c40b92950
Because buildset registries may be used by jobs that finish before other jobs are finished using the buildset registry we must be careful not to expose the registry credentials in the jobs that finish sooner. Otherwise logs for the earlier job runs could potentially be used to poison the registry for later jobs. This is likely currently incomplete. Other Zuulians should look over it carefully to ensure we're covering all the bases here. The cases I've identified so far are: * Setting facts that include passwords * Reading and writing to files that include passwords (as content may be logged) * Calling modules with passwords passed as arguments (the module invocation is logged) I've also set no_log on zuul_return that passes up credentials because while the logging for zuul_return is minimal today, I don't want to count on it remaining that way. We also use the yet to be merged secret_data attribute on zuul_return to ensure that zuul_return itself does not expose anything unwanted. Finally it would be great if others could check over the use of buildset_registry variables to make sure there aren't any that got missed. One thing I'm not sure of is whether or not when conditionals get logged and if we need to be careful about their use too. Temporarily remove some buildset-regitry jobs which are in a catch-22. Change-Id: I2dea683e27f00b99a7766bf830981bf91b925265
93 lines
3.1 KiB
YAML
93 lines
3.1 KiB
YAML
- name: Check for results.json
|
|
stat:
|
|
path: "{{ zuul.executor.work_root }}/results.json"
|
|
register: result_json_stat
|
|
delegate_to: localhost
|
|
|
|
# This can be removed if we add this functionality to Zuul directly
|
|
- name: Load information from zuul_return
|
|
set_fact:
|
|
buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}"
|
|
when:
|
|
- buildset_registry is not defined
|
|
- result_json_stat.stat.exists
|
|
- result_json_stat.stat.size > 0
|
|
- "'buildset_registry' in (lookup('file', zuul.executor.result_data_file) | from_json).get('secret_data')"
|
|
no_log: true
|
|
|
|
# Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
|
|
# so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
|
|
- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
|
|
become: yes
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
state: present
|
|
regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset-registry$"
|
|
line: "{{ buildset_registry.host }}\tzuul-jobs.buildset-registry"
|
|
insertafter: EOF
|
|
when: buildset_registry is defined and buildset_registry.host | ipaddr
|
|
|
|
- name: Set buildset_registry alias variable when using ip
|
|
set_fact:
|
|
buildset_registry_alias: zuul-jobs.buildset-registry
|
|
when: buildset_registry is defined and buildset_registry.host | ipaddr
|
|
|
|
- name: Set buildset_registry alias variable when using name
|
|
set_fact:
|
|
buildset_registry_alias: "{{ buildset_registry.host }}"
|
|
when: buildset_registry is defined and not ( buildset_registry.host | ipaddr )
|
|
|
|
- name: Determine if we need to use buildx or normal build
|
|
set_fact:
|
|
use_buildx: "{{ docker_images | selectattr('arch', 'defined') | list }}"
|
|
|
|
- name: Normal docker block
|
|
when: not use_buildx
|
|
block:
|
|
|
|
- name: Build docker images
|
|
include_tasks: build.yaml
|
|
loop: "{{ docker_images }}"
|
|
loop_control:
|
|
loop_var: zj_image
|
|
|
|
# Push each image.
|
|
- name: Push image to buildset registry
|
|
when: buildset_registry is defined
|
|
include_tasks: push.yaml
|
|
loop: "{{ docker_images }}"
|
|
loop_control:
|
|
loop_var: zj_image
|
|
|
|
- name: Buildx block
|
|
when: use_buildx
|
|
vars:
|
|
temp_registry:
|
|
host: "127.0.0.1"
|
|
port: 5100
|
|
username: zuul
|
|
password: tempregistry
|
|
block:
|
|
- name: Set up a temporary registry for holding buildx-built images
|
|
import_tasks: ../../../util-tasks/run-docker-registry.yaml
|
|
vars:
|
|
registry: "{{ temp_registry }}"
|
|
container_command: docker
|
|
|
|
- name: Log in to temporary registry
|
|
command: "docker login -u {{ temp_registry.username }} -p {{ temp_registry.password }} {{ temp_registry.host }}:{{ temp_registry.port }}"
|
|
|
|
- name: Set up buildx builders
|
|
include_tasks: setup-buildx.yaml
|
|
|
|
- name: Build and push each image using buildx.
|
|
include_tasks: buildx.yaml
|
|
loop: "{{ docker_images }}"
|
|
loop_control:
|
|
loop_var: zj_image
|
|
|
|
- name: Cleanup sibling source directory
|
|
file:
|
|
path: '{{ zuul_work_dir }}/.zuul-siblings'
|
|
state: absent
|