summaryrefslogtreecommitdiffstats
path: root/jjb
diff options
context:
space:
mode:
authorTrevor Bramwell <tbramwell@linuxfoundation.org>2017-06-19 11:06:12 -0700
committerTrevor Bramwell <tbramwell@linuxfoundation.org>2017-06-21 10:14:12 -0700
commitb582903071ca4ee1ed453a8a1961e8f5c1eff68c (patch)
tree4a7c0ca695af9162640abb1b82592b16cce7f0bd /jjb
parentf25dd3b80ec0425684057a30302e8c15827c4e93 (diff)
Directly Run Anteater Docker Container
The current approach is to run /bin/bash in a fully privilaged docker container as the root user and exec the anteater command from this. There are a couple of reasons this approach doesn't make sense: 1) anteater is not a long running service 2) anteater doesn't need any privilaged access to the host 3) anteater is already a compiled binary and can be ran directly Because the anteater container doesn't need access to all the host devices nor is it running docker containers inside of docker, the `--privileged=true` flag can be removed. Note: '--rm' is added as well to ensure volumes do not persist past the container lifecycle and lead to build server running out of disk space. JIRA: RELENG-250 Change-Id: I1ec90b3737abf591b6b3373fe2fc8f52cdcfb11a Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
Diffstat (limited to 'jjb')
-rw-r--r--jjb/ci_gate_security/anteater-security-audit.sh16
1 files changed, 6 insertions, 10 deletions
diff --git a/jjb/ci_gate_security/anteater-security-audit.sh b/jjb/ci_gate_security/anteater-security-audit.sh
index d5c0e407c..2b5c26a5a 100644
--- a/jjb/ci_gate_security/anteater-security-audit.sh
+++ b/jjb/ci_gate_security/anteater-security-audit.sh
@@ -15,18 +15,14 @@ echo "--------------------------------------------------------"
docker pull opnfv/releng-anteater
echo "--------------------------------------------------------"
-cmd="sudo docker run --privileged=true -id $envs $vols opnfv/releng-anteater /bin/bash"
-echo "Running docker command $cmd"
-container_id=$($cmd)
-echo "Container ID is $container_id"
-cmd="anteater --project $PROJECT --patchset /home/opnfv/anteater/$PROJECT/patchset"
-echo "Executing command inside container"
+cmd="docker run -i $envs $vols --rm opnfv/releng-anteater \
+anteater --project $PROJECT --patchset /home/opnfv/anteater/$PROJECT/patchset"
+echo "Running docker container"
echo "$cmd"
-echo "--------------------------------------------------------"
-docker exec $container_id $cmd > $WORKSPACE/securityaudit.log 2>&1
+$cmd > $WORKSPACE/securityaudit.log 2>&1
exit_code=$?
echo "--------------------------------------------------------"
-echo "Stopping docker container with ID $container_id"
-docker stop $container_id
+echo "Docker container exited with code: $exit_code"
+echo "--------------------------------------------------------"
cat securityaudit.log
exit 0