Merge branch 'dev-ci' into 'master'

MAJ CI + volumes dans Dokuwiki

See merge request !31

.gitlab-ci.yml

@@ -13,22 +13,26 @@ stages:
 metabuild:
     stage: metabuild
     before_script:
-        - echo $REGISTRY_PROD_PASSWORD | docker login $REGISTRY_PROD -u $REGISTRY_PROD_USERNAME --password-stdin
+        - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
     script:
-        - docker build -f pica-ci/Dockerfile . -t $REGISTRY_PROD/pica-ci
-        - docker push $REGISTRY_PROD/pica-ci:latest
+        - docker build -f pica-ci/Dockerfile . -t $REGISTRY/pica-ci
+        - docker push $REGISTRY/pica-ci:latest
+    after_script:
+        - docker logout $REGISTRY
     tags: [build]
     only:
         changes:
-            - pica-dokuwiki/*
+            - "pica-dokuwiki/*"
+        refs:
+            - master
+            - dev-ci
         
 # build the container that was modified
 build:
     stage: build
-    image: $REGISTRY_PROD/pica-ci:latest
+    image: $REGISTRY/pica-ci:latest
     before_script:
         - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
-        - echo $MODIFIED_IMAGE
         - source /etc/profile.d/ci-variables
     script:
         - docker build -f $MODIFIED_IMAGE/Dockerfile $MODIFIED_IMAGE -t $REGISTRY/ci-builds/$CI_COMMIT_SHA
@@ -38,12 +42,15 @@ build:
     tags: [build]
     only:
         changes:
-            - pica-dokuwiki/*
+            - "pica-dokuwiki/*"
+        refs:
+            - master
+            - dev-ci
 
 # run CoreOS' Clair and make the CI failed if a critical vulnerability isn't in the whitelist
 clair:
     stage: static_tests
-    image: $REGISTRY_PROD/pica-ci:latest
+    image: $REGISTRY/pica-ci:latest
     before_script:
         - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
         - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
@@ -64,13 +71,15 @@ clair:
     tags: [build]
     only:
         changes:
-            - pica-dokuwiki/*
-    allow_failure: false
+            - "pica-dokuwiki/*"
+        refs:
+            - master
+            - dev-ci
 
 # run docker-bench-security and upload the results
 docker-bench-security:
     stage: dynamic_tests
-    image: $REGISTRY_PROD/pica-ci:latest
+    image: $REGISTRY/pica-ci:latest
     before_script:
         - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
         - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
@@ -83,6 +92,7 @@ docker-bench-security:
         # if secrets.example files exist, remove the .example extension to be able to start the container
         - if [[ -d $MODIFIED_IMAGE/secrets ]]; then for i in $MODIFIED_IMAGE/secrets/* ; do cp $i $(echo $i| cut -d '.' -f1,2); done; fi;
         - cd $MODIFIED_IMAGE
+        - docker volume create $CONTAINER_NAME
         - docker-compose up -d
         - git clone https://github.com/docker/docker-bench-security.git
         - cd docker-bench-security
@@ -95,12 +105,15 @@ docker-bench-security:
     tags: [build]
     only:
         changes:
-            - pica-dokuwiki/*
+            - "pica-dokuwiki/*"
+        refs:
+            - master
+            - dev-ci
 
 # automatically deploy the container on pica01-test
 deployment-test: 
     stage: deployment
-    image: $REGISTRY_PROD/pica-ci:latest
+    image: $REGISTRY/pica-ci:latest
     before_script:
         - source /etc/profile.d/ci-variables
         - export DOCKER_HOST=tcp://pica01-test.picasoft.net:2376
@@ -110,7 +123,7 @@ deployment-test:
         - echo "$DEV_DOCKER_CA_CERT" > $DOCKER_CERT_PATH/ca.pem
         - echo "$DEV_DOCKER_CLIENT_CERT" > $DOCKER_CERT_PATH/cert.pem
         - echo "$DEV_DOCKER_CLIENT_KEY" > $DOCKER_CERT_PATH/key.pem
-    script:        
+    script:
         - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin     
         - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
         - docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest  $MODIFIED_IMAGE_FULL
@@ -124,13 +137,16 @@ deployment-test:
     tags: [build]
     only:
         changes:
-            - pica-dokuwiki/*
+            - "pica-dokuwiki/*"
+        refs:
+            - master
+            - dev-ci
 
 # automatically deploy the container on the production host associated with the modified image
 # this will only happen after manually triggering the deployment
 deployment-prod: 
     stage: deployment
-    image: $REGISTRY_PROD/pica-ci:latest
+    image: $REGISTRY/pica-ci:latest
     before_script:
         - source /etc/profile.d/ci-variables
         - TMP_DOCKER_CA_CERT="${HOST}_DOCKER_CA_CERT" && eval DOCKER_CA_CERT_VARIABLE=\$$TMP_DOCKER_CA_CERT
@@ -158,5 +174,8 @@ deployment-prod:
     tags: [build]
     only:
         changes:
-            - pica-dokuwiki/*
+            - "pica-dokuwiki/*"
+        refs:
+            - master
+            - dev-ci
     when: manual
\ No newline at end of file

get-modified-image.sh

@@ -4,16 +4,25 @@
 # this script should become obsolete as soon as a proper way of getting the modified files is added to Gitlab CI
 
 RES=""
-for i in $(git diff-tree --no-commit-id --name-only $CI_COMMIT_SHA)
+for i in $(git log -m -1 --name-only --pretty="format:" $CI_COMMIT_SHA)
 do
 	case "$i" in
-		*pica*) RES=$i ;;
+		*pica*) RES=$(echo $i | cut -d '/' -f1);;
 	esac
 done
+
+if [[ "$RES" == "" ]]
+then
+	echo "No image modified"
+	exit 1
+fi
+
 RES=$(cat $RES/docker-compose.yml | grep image: | head -n1 | cut -d ':' -f2-)
 if [[ "$RES" == "" ]]
 then
+	echo "No image modified"
 	exit 1
 else
 	echo $RES
 fi
+

pica-ci/Dockerfile

@@ -18,10 +18,8 @@ RUN apk update && \
     export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh) && \
     export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1) && \
     export CONTAINER_NAME=$(cat $MODIFIED_IMAGE/docker-compose.yml | grep $MODIFIED_IMAGE -B1 | head -n1 | cut -d ':' -f1 | xargs) && \
-    mkdir -p /root/.docker && \
     export HOST=$(./get-host-by-image.sh) && \
     echo "MODIFIED_IMAGE=$MODIFIED_IMAGE" >> /etc/profile.d/ci-variables && \
     echo "MODIFIED_IMAGE_FULL=$MODIFIED_IMAGE_FULL" >> /etc/profile.d/ci-variables && \
     echo "CONTAINER_NAME=$CONTAINER_NAME" >> /etc/profile.d/ci-variables && \
-    echo "HOST=$HOST" >> /etc/profile.d/ci-variables && \
-    cat /etc/profile.d/ci-variables
+    echo "HOST=$HOST" >> /etc/profile.d/ci-variables

pica-dokuwiki/clair-whitelist.yml

@@ -8,4 +8,4 @@ generalwhitelist:
     CVE-2017-12424: shadow -> Pas de contre-mesure
     CVE-2016-2779: util-linux -> Pas de contre-mesure
     CVE-2017-14062: libidn11 -> dépendance directe de wget et indirecte de curl, un des 2 est nécessaire pour le HEALTHCHECK et le téléchargement de Dokuwiki -> Pas de contre-mesure
-    CVE-2019-11068: libxslt -> dépendance de PHP, pas de contre-mesure 
\ No newline at end of file
+    CVE-2019-11068: libxslt -> dépendance de PHP, pas de contre-mesure
\ No newline at end of file

pica-dokuwiki/docker-compose.yml

 version : "2.4"
 
+volumes:
+  dokuwiki-app-volume:
+    external: 
+        name: "dokuwiki-app"
+
 networks:
   docker_default:
     external: true
@@ -9,7 +14,7 @@ services:
         image: pica-dokuwiki:stable
         container_name: dokuwiki-app
         volumes:
-          - /DATA/docker/wiki/html:/var/www/html
+          - dokuwiki-app-volume:/var/www/html
         security_opt:
           - no-new-privileges
         mem_limit: "2048m"