Skip to content
Snippets Groups Projects
Commit 93872b32 authored by Kamil Trzciński's avatar Kamil Trzciński
Browse files

Merge branch 'fix/regression-in-docker-executor' into 'master'

Fix allowed_images behavior

Closes #2624

See merge request !635
parents f6cb0eda 6ee30feb
No related branches found
No related tags found
No related merge requests found
...@@ -713,14 +713,13 @@ func (s *executor) createServices() (err error) { ...@@ -713,14 +713,13 @@ func (s *executor) createServices() (err error) {
} }
s.waitForServices() s.waitForServices()
fmt.Println(linksMap)
s.links = s.buildServiceLinks(linksMap) s.links = s.buildServiceLinks(linksMap)
return return
} }
func (s *executor) createContainer(containerType string, imageDefinition common.Image, cmd []string) (*types.ContainerJSON, error) { func (s *executor) createContainer(containerType string, imageDefinition common.Image, cmd []string, allowedInternalImages []string) (*types.ContainerJSON, error) {
imageName, err := s.expandImageName(imageDefinition.Name) imageName, err := s.expandImageName(imageDefinition.Name, allowedInternalImages)
if err != nil { if err != nil {
return nil, err return nil, err
} }
...@@ -992,10 +991,11 @@ func (s *executor) verifyAllowedImage(image, optionName string, allowedImages [] ...@@ -992,10 +991,11 @@ func (s *executor) verifyAllowedImage(image, optionName string, allowedImages []
return errors.New("invalid image") return errors.New("invalid image")
} }
func (s *executor) expandImageName(imageName string) (string, error) { func (s *executor) expandImageName(imageName string, allowedInternalImages []string) (string, error) {
if imageName != "" { if imageName != "" {
image := s.Build.GetAllVariables().ExpandValue(imageName) image := s.Build.GetAllVariables().ExpandValue(imageName)
err := s.verifyAllowedImage(imageName, "images", s.Config.Docker.AllowedImages, []string{s.Config.Docker.Image}) allowedInternalImages = append(allowedInternalImages, s.Config.Docker.Image)
err := s.verifyAllowedImage(image, "images", s.Config.Docker.AllowedImages, allowedInternalImages)
if err != nil { if err != nil {
return "", err return "", err
} }
...@@ -1074,7 +1074,7 @@ func (s *executor) Prepare(options common.ExecutorPrepareOptions) error { ...@@ -1074,7 +1074,7 @@ func (s *executor) Prepare(options common.ExecutorPrepareOptions) error {
} }
s.SetCurrentStage(DockerExecutorStagePrepare) s.SetCurrentStage(DockerExecutorStagePrepare)
imageName, err := s.expandImageName(s.Build.Image.Name) imageName, err := s.expandImageName(s.Build.Image.Name, []string{})
if err != nil { if err != nil {
return err return err
} }
......
...@@ -37,13 +37,13 @@ func (s *commandExecutor) Prepare(options common.ExecutorPrepareOptions) error { ...@@ -37,13 +37,13 @@ func (s *commandExecutor) Prepare(options common.ExecutorPrepareOptions) error {
} }
// Start pre-build container which will git clone changes // Start pre-build container which will git clone changes
s.predefinedContainer, err = s.createContainer("predefined", buildImage, []string{"gitlab-runner-build"}) s.predefinedContainer, err = s.createContainer("predefined", buildImage, []string{"gitlab-runner-build"}, []string{prebuildImage.ID})
if err != nil { if err != nil {
return err return err
} }
// Start build container which will run actual build // Start build container which will run actual build
s.buildContainer, err = s.createContainer("build", s.Build.Image, s.BuildShell.DockerCommand) s.buildContainer, err = s.createContainer("build", s.Build.Image, s.BuildShell.DockerCommand, []string{})
if err != nil { if err != nil {
return err return err
} }
......
...@@ -70,6 +70,40 @@ func TestDockerCommandBuildFail(t *testing.T) { ...@@ -70,6 +70,40 @@ func TestDockerCommandBuildFail(t *testing.T) {
assert.Contains(t, err.Error(), "exit code 1") assert.Contains(t, err.Error(), "exit code 1")
} }
func TestDockerCommandWithAllowedImagesRun(t *testing.T) {
if helpers.SkipIntegrationTests(t, "docker", "info") {
return
}
successfulBuild, err := common.GetRemoteSuccessfulBuild()
successfulBuild.Image = common.Image{Name: "$IMAGE_NAME"}
successfulBuild.Variables = append(successfulBuild.Variables, common.JobVariable{
Key: "IMAGE_NAME",
Value: "alpine",
Public: true,
Internal: false,
File: false,
})
successfulBuild.Services = append(successfulBuild.Services, common.Image{Name: "docker:dind"})
assert.NoError(t, err)
build := &common.Build{
JobResponse: successfulBuild,
Runner: &common.RunnerConfig{
RunnerSettings: common.RunnerSettings{
Executor: "docker",
Docker: &common.DockerConfig{
AllowedImages: []string{"alpine"},
AllowedServices: []string{"docker:dind"},
Privileged: true,
},
},
},
}
err = build.Run(&common.Config{}, &common.Trace{Writer: os.Stdout})
assert.NoError(t, err)
}
func TestDockerCommandMissingImage(t *testing.T) { func TestDockerCommandMissingImage(t *testing.T) {
if helpers.SkipIntegrationTests(t, "docker", "info") { if helpers.SkipIntegrationTests(t, "docker", "info") {
return return
......
...@@ -28,7 +28,7 @@ func (s *sshExecutor) Prepare(options common.ExecutorPrepareOptions) error { ...@@ -28,7 +28,7 @@ func (s *sshExecutor) Prepare(options common.ExecutorPrepareOptions) error {
s.Debugln("Starting SSH command...") s.Debugln("Starting SSH command...")
// Start build container which will run actual build // Start build container which will run actual build
container, err := s.createContainer("build", s.Build.Image, []string{}) container, err := s.createContainer("build", s.Build.Image, []string{}, []string{})
if err != nil { if err != nil {
return err return err
} }
......
...@@ -793,7 +793,7 @@ func TestDockerWatchOn_1_12_4(t *testing.T) { ...@@ -793,7 +793,7 @@ func TestDockerWatchOn_1_12_4(t *testing.T) {
err := e.connectDocker() err := e.connectDocker()
assert.NoError(t, err) assert.NoError(t, err)
container, err := e.createContainer("build", common.Image{Name: "alpine"}, []string{"/bin/sh"}) container, err := e.createContainer("build", common.Image{Name: "alpine"}, []string{"/bin/sh"}, []string{})
assert.NoError(t, err) assert.NoError(t, err)
assert.NotNil(t, container) assert.NotNil(t, container)
...@@ -871,7 +871,7 @@ func testDockerConfigurationWithJobContainer(t *testing.T, dockerConfig *common. ...@@ -871,7 +871,7 @@ func testDockerConfigurationWithJobContainer(t *testing.T, dockerConfig *common.
c.On("ContainerInspect", mock.Anything, "abc"). c.On("ContainerInspect", mock.Anything, "abc").
Return(types.ContainerJSON{}, nil).Once() Return(types.ContainerJSON{}, nil).Once()
_, err := e.createContainer("build", common.Image{Name: "alpine"}, []string{"/bin/sh"}) _, err := e.createContainer("build", common.Image{Name: "alpine"}, []string{"/bin/sh"}, []string{})
assert.NoError(t, err, "Should create container without errors") assert.NoError(t, err, "Should create container without errors")
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment