babsingh
commented
2 years ago fyi @AdamBrousseau @jdekonin
Closed babsingh closed 2 years ago
babsingh
commented
2 years ago fyi @AdamBrousseau @jdekonin
mbarbero
commented
2 years ago We don't support docker plugin in Jenkins as it would require DiD in our current, which is a major security issue. You can run pipeline in custom container though, as described in https://wiki.eclipse.org/Jenkins#Custom_container. Note that the container must be build and publish beforehand.
babsingh
commented
2 years ago it would require DiD in our current
What does DiD mean?
mbarbero
commented
2 years ago Sorry, Docker-in-Docker
babsingh
commented
2 years ago it would require DiD in our current, which is a major security issue
@mbarbero Can you provide a reference which explains why DiD is a major security issue? I did not find any direct references to Docker in Docker security risks during my online search.
mbarbero
commented
2 years ago https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html
We don't allow containers on our infrastructure to run as root, and we have strict SELinux, AppArmor, and other security measures that prevents CI workload from using any of the solutions like DinD or mounting the docker socket inside the container.
AdamBrousseau
commented
2 years ago @mbarbero Would those concerns only apply if we were running our own container on the Jenkins Controller node though? If we run a container on another worker node would there still be a security concern?
mbarbero
commented
2 years ago those concerns are only valid for our infra 🤦 Sorry about forgetting that OMR runs its jobs on their own node. Will install the docker plugin shortly
mbarbero
commented
2 years ago Plugin has been installed.
mbarbero
commented
2 years ago AdamBrousseau
commented
2 years ago Hey @mbarbero we're trying to setup a pipeline job with a docker.build "image" step but it is still failing. I think we might need the Docker pipeline plugin as well.
mbarbero
commented
2 years ago Sorry, this one slipped through the cracks. I'm adding the docker-workflow plugin right now
mbarbero
commented
2 years ago Done with 1d9fbf3a4de4cb4455ecf104fbead63ede03becc
Thanks for your patience on this one.
AdamBrousseau
commented
2 years ago Thanks, Mikaël
babsingh
commented
2 years ago Confirming that it works.
OMR is planning to launch PR builds in Docker containers: https://github.com/eclipse/omr/pull/6525.
In order achieve the above goal, OMR needs to have the Docker plugin in its Jenkins pipeline.