diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f0ba66573fd609e7814d8d1c641044baa4b05c75..364d32c84b83546b28d148aa979dbc9e3230e1bc 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,22 +13,26 @@ stages:
metabuild:
stage: metabuild
before_script:
- - echo $REGISTRY_PROD_PASSWORD | docker login $REGISTRY_PROD -u $REGISTRY_PROD_USERNAME --password-stdin
+ - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
script:
- - docker build -f pica-ci/Dockerfile . -t $REGISTRY_PROD/pica-ci
- - docker push $REGISTRY_PROD/pica-ci:latest
+ - docker build -f pica-ci/Dockerfile . -t $REGISTRY/pica-ci
+ - docker push $REGISTRY/pica-ci:latest
+ after_script:
+ - docker logout $REGISTRY
tags: [build]
only:
changes:
- - pica-dokuwiki/*
+ - "pica-dokuwiki/*"
+ refs:
+ - master
+ - dev-ci
# build the container that was modified
build:
stage: build
- image: $REGISTRY_PROD/pica-ci:latest
+ image: $REGISTRY/pica-ci:latest
before_script:
- echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- - echo $MODIFIED_IMAGE
- source /etc/profile.d/ci-variables
script:
- docker build -f $MODIFIED_IMAGE/Dockerfile $MODIFIED_IMAGE -t $REGISTRY/ci-builds/$CI_COMMIT_SHA
@@ -38,12 +42,15 @@ build:
tags: [build]
only:
changes:
- - pica-dokuwiki/*
+ - "pica-dokuwiki/*"
+ refs:
+ - master
+ - dev-ci
# run CoreOS' Clair and make the CI failed if a critical vulnerability isn't in the whitelist
clair:
stage: static_tests
- image: $REGISTRY_PROD/pica-ci:latest
+ image: $REGISTRY/pica-ci:latest
before_script:
- echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
@@ -64,13 +71,15 @@ clair:
tags: [build]
only:
changes:
- - pica-dokuwiki/*
- allow_failure: false
+ - "pica-dokuwiki/*"
+ refs:
+ - master
+ - dev-ci
# run docker-bench-security and upload the results
docker-bench-security:
stage: dynamic_tests
- image: $REGISTRY_PROD/pica-ci:latest
+ image: $REGISTRY/pica-ci:latest
before_script:
- echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
@@ -83,6 +92,7 @@ docker-bench-security:
# if secrets.example files exist, remove the .example extension to be able to start the container
- if [[ -d $MODIFIED_IMAGE/secrets ]]; then for i in $MODIFIED_IMAGE/secrets/* ; do cp $i $(echo $i| cut -d '.' -f1,2); done; fi;
- cd $MODIFIED_IMAGE
+ - docker volume create $CONTAINER_NAME
- docker-compose up -d
- git clone https://github.com/docker/docker-bench-security.git
- cd docker-bench-security
@@ -95,12 +105,15 @@ docker-bench-security:
tags: [build]
only:
changes:
- - pica-dokuwiki/*
+ - "pica-dokuwiki/*"
+ refs:
+ - master
+ - dev-ci
# automatically deploy the container on pica01-test
deployment-test:
stage: deployment
- image: $REGISTRY_PROD/pica-ci:latest
+ image: $REGISTRY/pica-ci:latest
before_script:
- source /etc/profile.d/ci-variables
- export DOCKER_HOST=tcp://pica01-test.picasoft.net:2376
@@ -110,7 +123,7 @@ deployment-test:
- echo "$DEV_DOCKER_CA_CERT" > $DOCKER_CERT_PATH/ca.pem
- echo "$DEV_DOCKER_CLIENT_CERT" > $DOCKER_CERT_PATH/cert.pem
- echo "$DEV_DOCKER_CLIENT_KEY" > $DOCKER_CERT_PATH/key.pem
- script:
+ script:
- echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
- docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest $MODIFIED_IMAGE_FULL
@@ -124,13 +137,16 @@ deployment-test:
tags: [build]
only:
changes:
- - pica-dokuwiki/*
+ - "pica-dokuwiki/*"
+ refs:
+ - master
+ - dev-ci
# automatically deploy the container on the production host associated with the modified image
# this will only happen after manually triggering the deployment
deployment-prod:
stage: deployment
- image: $REGISTRY_PROD/pica-ci:latest
+ image: $REGISTRY/pica-ci:latest
before_script:
- source /etc/profile.d/ci-variables
- TMP_DOCKER_CA_CERT="${HOST}_DOCKER_CA_CERT" && eval DOCKER_CA_CERT_VARIABLE=\$$TMP_DOCKER_CA_CERT
@@ -158,5 +174,8 @@ deployment-prod:
tags: [build]
only:
changes:
- - pica-dokuwiki/*
+ - "pica-dokuwiki/*"
+ refs:
+ - master
+ - dev-ci
when: manual
\ No newline at end of file
diff --git a/get-modified-image.sh b/get-modified-image.sh
old mode 100644
new mode 100755
index 386c62feacb84ad9df361284684e980133483a75..7ad6f52ef05d8a0cd33070d33dba288249f195ac
--- a/get-modified-image.sh
+++ b/get-modified-image.sh
@@ -4,16 +4,25 @@
# this script should become obsolete as soon as a proper way of getting the modified files is added to Gitlab CI
RES=""
-for i in $(git diff-tree --no-commit-id --name-only $CI_COMMIT_SHA)
+for i in $(git log -m -1 --name-only --pretty="format:" $CI_COMMIT_SHA)
do
case "$i" in
- *pica*) RES=$i ;;
+ *pica*) RES=$(echo $i | cut -d '/' -f1);;
esac
done
+
+if [[ "$RES" == "" ]]
+then
+ echo "No image modified"
+ exit 1
+fi
+
RES=$(cat $RES/docker-compose.yml | grep image: | head -n1 | cut -d ':' -f2-)
if [[ "$RES" == "" ]]
then
+ echo "No image modified"
exit 1
else
echo $RES
fi
+
diff --git a/pica-ci/Dockerfile b/pica-ci/Dockerfile
index 419b2fbcc7e8aa7120a3b4924f916819cc4f0191..f3dde1ff8735cc6760540dee3402bb9dd4acf522 100644
--- a/pica-ci/Dockerfile
+++ b/pica-ci/Dockerfile
@@ -18,10 +18,8 @@ RUN apk update && \
export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh) && \
export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1) && \
export CONTAINER_NAME=$(cat $MODIFIED_IMAGE/docker-compose.yml | grep $MODIFIED_IMAGE -B1 | head -n1 | cut -d ':' -f1 | xargs) && \
- mkdir -p /root/.docker && \
export HOST=$(./get-host-by-image.sh) && \
echo "MODIFIED_IMAGE=$MODIFIED_IMAGE" >> /etc/profile.d/ci-variables && \
echo "MODIFIED_IMAGE_FULL=$MODIFIED_IMAGE_FULL" >> /etc/profile.d/ci-variables && \
echo "CONTAINER_NAME=$CONTAINER_NAME" >> /etc/profile.d/ci-variables && \
- echo "HOST=$HOST" >> /etc/profile.d/ci-variables && \
- cat /etc/profile.d/ci-variables
+ echo "HOST=$HOST" >> /etc/profile.d/ci-variables
diff --git a/pica-dokuwiki/clair-whitelist.yml b/pica-dokuwiki/clair-whitelist.yml
index 6c0c6e6e16c9f7759c418b32166917e7cb9c18fb..32be8c2f1934908a7923d8ac1c4054d3c31dabd5 100644
--- a/pica-dokuwiki/clair-whitelist.yml
+++ b/pica-dokuwiki/clair-whitelist.yml
@@ -8,4 +8,4 @@ generalwhitelist:
CVE-2017-12424: shadow -> Pas de contre-mesure
CVE-2016-2779: util-linux -> Pas de contre-mesure
CVE-2017-14062: libidn11 -> dépendance directe de wget et indirecte de curl, un des 2 est nécessaire pour le HEALTHCHECK et le téléchargement de Dokuwiki -> Pas de contre-mesure
- CVE-2019-11068: libxslt -> dépendance de PHP, pas de contre-mesure
\ No newline at end of file
+ CVE-2019-11068: libxslt -> dépendance de PHP, pas de contre-mesure
\ No newline at end of file
diff --git a/pica-dokuwiki/docker-compose.yml b/pica-dokuwiki/docker-compose.yml
index 19a0c97de8575bbe381720f2524326a82b4756c9..410f9e756362f9c1ed74f8d260e112285c42499e 100644
--- a/pica-dokuwiki/docker-compose.yml
+++ b/pica-dokuwiki/docker-compose.yml
@@ -1,5 +1,10 @@
version : "2.4"
+volumes:
+ dokuwiki-app-volume:
+ external:
+ name: "dokuwiki-app"
+
networks:
docker_default:
external: true
@@ -9,7 +14,7 @@ services:
image: pica-dokuwiki:stable
container_name: dokuwiki-app
volumes:
- - /DATA/docker/wiki/html:/var/www/html
+ - dokuwiki-app-volume:/var/www/html
security_opt:
- no-new-privileges
mem_limit: "2048m"