search

GSA-TTS / gitlab-runner-cloudgov

Code for running GitLab CI/CD jobs on cloud.gov
Other
2 stars 0 forks source link

Deploy GitLab Runner to Cloud.gov #17

Open zjrgov opened 3 weeks ago

zjrgov commented 3 weeks ago

As a DevTools user I would like to be able to push and pull container images to/from the GitLab Container Registry so that I can verify that my container packaging steps work and be able to deploy the container to cloud.gov.

See also #16.

Acceptance Criteria

zjrgov commented 2 weeks ago

Kaniko, at least used in the typical way, won't work without some significant changes for a few reasons.

  1. It must be used as an image, i.e., you can't install it with a package manager.
  2. We can't deploy a worker image that runs it with docker because running docker in docker requires elevated privileges--the whole reason we're looking at Kaniko in the first place is to avoid this.
  3. Kaniko just uses scratch as the base for the image it actually distributes, and at most, when using the :debug tag, you just get some busybox utilities--ergo there is no package manager, no git/git-lfs/curl and no gitlab-runner-helper.

We might be able to do without the gitlab-runner-helper, but I think it would probably require some significant changes to manually deal with cache & artifacts. Could also think about having the runner workers deploy not as docker images, and use cloud foundry the normal way, possibly installing docker with the apt.yaml and removing a layer of the matryoshka.

Before doing that I'll try buildah, which is installable as an apt package.

zjrgov commented 2 weeks ago

Buildkit, img, orca-build, and buildah all use runc which if running in a container must have certain security controls disabled (seccomp & apparmor unconfined). This isn't something I have a great deal of understanding about yet but seems bad and at the very least not like something we can easily get going by ourselves on cloud.gov.

So it seems like we could maybe have workers that don't get pushed as containers but install a container build system, or back to kaniko and try to stick git/lfs/curl binaries on it. In either case, probably just get some weird branching logic on it for now as a proof of concept.