diff options
| author |   Trevor Bramwell <tbramwell@linuxfoundation.org> | 2017-06-19 11:06:12 -0700 |
|---|---|---|
| committer | Trevor Bramwell <tbramwell@linuxfoundation.org> | 2017-06-21 10:14:12 -0700 |
| commit | b582903071ca4ee1ed453a8a1961e8f5c1eff68c (patch) | |
| tree | 4a7c0ca695af9162640abb1b82592b16cce7f0bd /jjb/ci_gate_security | |
| parent | f25dd3b80ec0425684057a30302e8c15827c4e93 (diff) | |
Directly Run Anteater Docker Container
The current approach is to run /bin/bash in a fully privilaged docker
container as the root user and exec the anteater command from this.
There are a couple of reasons this approach doesn't make sense:
1) anteater is not a long running service
2) anteater doesn't need any privilaged access to the host
3) anteater is already a compiled binary and can be ran directly
Because the anteater container doesn't need access to all the host
devices nor is it running docker containers inside of docker, the
`--privileged=true` flag can be removed.
Note: '--rm' is added as well to ensure volumes do not persist past the
container lifecycle and lead to build server running out of disk space.
JIRA: RELENG-250
Change-Id: I1ec90b3737abf591b6b3373fe2fc8f52cdcfb11a
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
Diffstat (limited to 'jjb/ci_gate_security')
| -rw-r--r-- | jjb/ci_gate_security/anteater-security-audit.sh | 16 |
1 files changed, 6 insertions, 10 deletions
diff --git a/jjb/ci_gate_security/anteater-security-audit.sh b/jjb/ci_gate_security/anteater-security-audit.sh index d5c0e407c..2b5c26a5a 100644 --- a/jjb/ci_gate_security/anteater-security-audit.sh +++ b/jjb/ci_gate_security/anteater-security-audit.sh @@ -15,18 +15,14 @@ echo "--------------------------------------------------------" docker pull opnfv/releng-anteater echo "--------------------------------------------------------" -cmd="sudo docker run --privileged=true -id $envs $vols opnfv/releng-anteater /bin/bash" -echo "Running docker command $cmd" -container_id=$($cmd) -echo "Container ID is $container_id" -cmd="anteater --project $PROJECT --patchset /home/opnfv/anteater/$PROJECT/patchset" -echo "Executing command inside container" +cmd="docker run -i $envs $vols --rm opnfv/releng-anteater \ +anteater --project $PROJECT --patchset /home/opnfv/anteater/$PROJECT/patchset" +echo "Running docker container" echo "$cmd" -echo "--------------------------------------------------------" -docker exec $container_id $cmd > $WORKSPACE/securityaudit.log 2>&1 +$cmd > $WORKSPACE/securityaudit.log 2>&1 exit_code=$? echo "--------------------------------------------------------" -echo "Stopping docker container with ID $container_id" -docker stop $container_id +echo "Docker container exited with code: $exit_code" +echo "--------------------------------------------------------" cat securityaudit.log exit 0 |