From b582903071ca4ee1ed453a8a1961e8f5c1eff68c Mon Sep 17 00:00:00 2001
From: Trevor Bramwell <tbramwell@linuxfoundation.org>
Date: Mon, 19 Jun 2017 11:06:12 -0700
Subject: Directly Run Anteater Docker Container

The current approach is to run /bin/bash in a fully privilaged docker
container as the root user and exec the anteater command from this.

There are a couple of reasons this approach doesn't make sense:

1) anteater is not a long running service
2) anteater doesn't need any privilaged access to the host
3) anteater is already a compiled binary and can be ran directly

Because the anteater container doesn't need access to all the host
devices nor is it running docker containers inside of docker, the
`--privileged=true` flag can be removed.

Note: '--rm' is added as well to ensure volumes do not persist past the
container lifecycle and lead to build server running out of disk space.

JIRA: RELENG-250

Change-Id: I1ec90b3737abf591b6b3373fe2fc8f52cdcfb11a
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
---
 jjb/ci_gate_security/anteater-security-audit.sh | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

(limited to 'jjb/ci_gate_security')

diff --git a/jjb/ci_gate_security/anteater-security-audit.sh b/jjb/ci_gate_security/anteater-security-audit.sh
index d5c0e407c..2b5c26a5a 100644
--- a/jjb/ci_gate_security/anteater-security-audit.sh
+++ b/jjb/ci_gate_security/anteater-security-audit.sh
@@ -15,18 +15,14 @@ echo "--------------------------------------------------------"
 docker pull opnfv/releng-anteater
 echo "--------------------------------------------------------"
 
-cmd="sudo docker run --privileged=true -id $envs $vols opnfv/releng-anteater /bin/bash"
-echo "Running docker command $cmd"
-container_id=$($cmd)
-echo "Container ID is $container_id"
-cmd="anteater --project $PROJECT --patchset /home/opnfv/anteater/$PROJECT/patchset"
-echo "Executing command inside container"
+cmd="docker run -i $envs $vols --rm opnfv/releng-anteater \
+anteater --project $PROJECT --patchset /home/opnfv/anteater/$PROJECT/patchset"
+echo "Running docker container"
 echo "$cmd"
-echo "--------------------------------------------------------"
-docker exec $container_id $cmd > $WORKSPACE/securityaudit.log 2>&1
+$cmd > $WORKSPACE/securityaudit.log 2>&1
 exit_code=$?
 echo "--------------------------------------------------------"
-echo "Stopping docker container with ID $container_id"
-docker stop $container_id
+echo "Docker container exited with code: $exit_code"
+echo "--------------------------------------------------------"
 cat securityaudit.log
 exit 0
-- 
cgit 1.2.3-korg