Re: Changes to GitLab runners configuration
- From: Bastien Nocera <hadess hadess net>
- To: Bartłomiej Piotrowski <bpiotrowski gnome org>, desktop-devel-list <desktop-devel-list gnome org>
- Subject: Re: Changes to GitLab runners configuration
- Date: Mon, 24 Feb 2020 10:11:08 +0100
On Wed, 2020-02-19 at 14:50 +0100, Bartłomiej Piotrowski wrote:
Hello,
For historical reasons™ all GitLab runners were running with
privileged
mode enabled. The happy side effect of this fact is that nothing
special
was ever needed to run Docker or flatpak builds. It also means we
were
extremely lucky that no one abused CAP_SYS_ADMIN and other elevated
privileges for bad things.
For past few days I've been working to ensure that Flatpak builds are
still functional without additional privileges. If your project is
using
citemplates[1], the configuration change should be invisible to your
pipelines and you can keep on doing awesome GNOME work. However, if
you
have modified default steps via 'extends' keyword (or by defining
them
completely manually), please make sure that:
It seems like this isn't quite working as it should. This MR is porting
sound-juicer to meson:
https://gitlab.gnome.org/GNOME/sound-juicer/-/merge_requests/6
It uses the flatpak_ci_initiative.yml template and throws this error:
bwrap: Creating new namespace failed, likely because the kernel does
not support user namespaces. bwrap must be installed setuid on such
systems.
1) you are using the
registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome image or
your
image does not run as root,
From the template:
.flatpak:
image: 'registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome:master'
2) jobs using flatpak/flatpak-builder have "flatpak" tag defined,
From the template:
tags:
- flatpak
And in the pipeline output:
https://gitlab.gnome.org/GNOME/sound-juicer/-/jobs/606529
3) flatpak-builder invocation includes --user -disable-rofiles-fuse
for
building; 'flatpak-builder --run' includes --disable-rofiles-fuse.
In the template:
script:
- flatpak-builder --user --disable-rofiles-fuse --stop-at=${FLATPAK_MODULE} flatpak_app ${MANIFEST_PATH}
(also visible in the pipeline output).
Is there anything else that needs to be done?
If your project's pipeline is using Docker to build an image from
Dockerfile, consider switching to podman or buildah as they should
work
unprivileged.
The only exception from these changes are runners assigned to
gnome-build-meta.
If you encounter any problems with running CI unprivileged, please
poke
me on #sysadmin on irc.gnome.org or via Rocket.chat.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]