Gitlab 重写服务命令为空时屏蔽的变量
我想在JUNIT测试中使用Testcontainers,因此我创建了以下内容:Gitlab 重写服务命令为空时屏蔽的变量,gitlab,gitlab-ci,Gitlab,Gitlab Ci,我想在JUNIT测试中使用Testcontainers,因此我创建了以下内容: image: gitlab.registry.example:5005/my-custom-maven-image variables: MAVEN_CLI_OPTS: "--batch-mode -s $CI_PROJECT_DIR/.m2/settings.xml" stages: - test test: stage: test script: - mvn $MAVEN_CLI_O
image: gitlab.registry.example:5005/my-custom-maven-image
variables:
MAVEN_CLI_OPTS: "--batch-mode -s $CI_PROJECT_DIR/.m2/settings.xml"
stages:
- test
test:
stage: test
script:
- mvn $MAVEN_CLI_OPTS clean test
services:
- name: docker:dind
alias: docker
command:
- /bin/sh
- -c
- "DOCKER_AUTH_CONFIG=`echo \"{\\\"auths\\\":{\\\"$CI_REGISTRY\\\":{\\\"username\\\":\\\"$CI_REGISTRY_USER\\\",\\\"password\\\":\\\"$CI_REGISTRY_PASSWORD\\\"}}}\"` && mkdir -p \"/root/.docker\" && echo \"${DOCKER_AUTH_CONFIG}\" > \"/root/.docker/config.json\" && cat /root/.docker/config.json && update-ca-certificates && dockerd-entrypoint.sh || exit"
variables:
# Instruct Testcontainers to use the daemon of DinD.
DOCKER_HOST: "tcp://docker:2375"
# Instruct Docker not to start over TLS.
DOCKER_TLS_CERTDIR: ""
DOCKER_TLS_VERIFY: 0
# Improve performance with overlayfs.
DOCKER_DRIVER: overlay2
当运行程序尝试生成dind容器时,这为我提供了以下输出:
{"auths":{"gitlab.registry.example:5005":{"username":"gitlab-ci-token","password":""}}}
如您所见,密码为空。在脚本之前,在中打印CI\u REGISTRY\u PASSWORD
变量,显示了我所期望的[屏蔽]
我正要制造一个问题,但我想确保我所做的事事先没有错
更新:在gitlab runner项目中,它看起来确实像一个bug:CI\u REGISTRY\u PASSWORD
变量在运行DinD服务的容器中根本不存在,它在作业容器中被正确设置
我以一种简化的方式重复使用您的示例,重现了您的问题:
测试:
阶段:测试
脚本:
-echo“注册表$CI\U注册表-用户$CI\U注册表\U用户-密码$CI\U注册表\U密码”
#-睡眠9999
服务:
-姓名:docker:dind
别名:docker
命令:
-/bin/sh
--c
-echo“Registry$CI_Registry-User$CI_Registry\u User-Password$CI_Registry\u Password”和&dockerd-entrypoint.sh|退出
这在Gitlab UI中显示:
# Services logs (not always shown)
Registry registry.novadiscovery.net - User gitlab-ci-token - Password
# Script logs
$ echo "Registry $CI_REGISTRY - User $CI_REGISTRY_USER - Password $CI_REGISTRY_PASSWORD"
Registry registry.mycompany.com - User gitlab-ci-token - Password [MASKED]
起初,我认为这个变量在某种程度上隐藏在Gitlab log UI中,但它没有显示为[masked]
。然而,当检查运行作业的底层容器时,我们可以看到DinD服务中确实缺少变量:
# Running docker inspect command on machine running Gitlab Runner
# Inspect DinD service container
# CI_REGISTRY_PASSWORD does not exists
docker inspect runner-zz-qri9h-project-663-concurrent-0-8f92ad27e7b78f1c-docker-0 | jq .[0].Config.Env | grep CI_REGISTRY
"CI_REGISTRY_USER=gitlab-ci-token",
"CI_REGISTRY=registry.mycompany.com",
"CI_REGISTRY_IMAGE=registry.mycompany.com/pierre.beucher/sandbox",
# Inspect job container
# CI_REGISTRY_PASSWORD is set
docker inspect runner-zz-qri9h-project-663-concurrent-0-8f92ad27e7b78f1c-build-2 | jq .[0].Config.Env | grep CI_REGISTRY
"CI_REGISTRY_USER=gitlab-ci-token",
"CI_REGISTRY_PASSWORD=xxx",
"CI_REGISTRY=registry.mycompany.com",
"CI_REGISTRY_IMAGE=registry.mycompany.com/pierre.beucher/sandbox",
通过比较作业容器和服务容器之间的变量,似乎服务容器中缺少所有机密或合理的预定义CI变量。根据上述比较,缺少以下变量(可能还有其他变量):
在Gitlab13.11.3
和Gitlab Runner13.2.1
CI_JOB_TOKEN
CI_BUILD_TOKEN
CI_REGISTRY_PASSWORD
CI_REPOSITORY_URL
CI_DEPENDENCY_PROXY_PASSWORD
CI_JOB_JWT