From b582903071ca4ee1ed453a8a1961e8f5c1eff68c Mon Sep 17 00:00:00 2001 From: Trevor Bramwell Date: Mon, 19 Jun 2017 11:06:12 -0700 Subject: Directly Run Anteater Docker Container The current approach is to run /bin/bash in a fully privilaged docker container as the root user and exec the anteater command from this. There are a couple of reasons this approach doesn't make sense: 1) anteater is not a long running service 2) anteater doesn't need any privilaged access to the host 3) anteater is already a compiled binary and can be ran directly Because the anteater container doesn't need access to all the host devices nor is it running docker containers inside of docker, the `--privileged=true` flag can be removed. Note: '--rm' is added as well to ensure volumes do not persist past the container lifecycle and lead to build server running out of disk space. JIRA: RELENG-250 Change-Id: I1ec90b3737abf591b6b3373fe2fc8f52cdcfb11a Signed-off-by: Trevor Bramwell --- jjb/ci_gate_security/anteater-security-audit.sh | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) (limited to 'jjb') diff --git a/jjb/ci_gate_security/anteater-security-audit.sh b/jjb/ci_gate_security/anteater-security-audit.sh index d5c0e407c..2b5c26a5a 100644 --- a/jjb/ci_gate_security/anteater-security-audit.sh +++ b/jjb/ci_gate_security/anteater-security-audit.sh @@ -15,18 +15,14 @@ echo "--------------------------------------------------------" docker pull opnfv/releng-anteater echo "--------------------------------------------------------" -cmd="sudo docker run --privileged=true -id $envs $vols opnfv/releng-anteater /bin/bash" -echo "Running docker command $cmd" -container_id=$($cmd) -echo "Container ID is $container_id" -cmd="anteater --project $PROJECT --patchset /home/opnfv/anteater/$PROJECT/patchset" -echo "Executing command inside container" +cmd="docker run -i $envs $vols --rm opnfv/releng-anteater \ +anteater --project $PROJECT --patchset /home/opnfv/anteater/$PROJECT/patchset" +echo "Running docker container" echo "$cmd" -echo "--------------------------------------------------------" -docker exec $container_id $cmd > $WORKSPACE/securityaudit.log 2>&1 +$cmd > $WORKSPACE/securityaudit.log 2>&1 exit_code=$? echo "--------------------------------------------------------" -echo "Stopping docker container with ID $container_id" -docker stop $container_id +echo "Docker container exited with code: $exit_code" +echo "--------------------------------------------------------" cat securityaudit.log exit 0 -- cgit 1.2.3-korg