Fatal编程技术网
  • gitlab/
  • Gitlab 重写服务命令为空时屏蔽的变量

Gitlab 重写服务命令为空时屏蔽的变量

gitlab

Gitlab 重写服务命令为空时屏蔽的变量,gitlab,gitlab-ci,Gitlab,Gitlab Ci,我想在JUNIT测试中使用Testcontainers,因此我创建了以下内容: image: gitlab.registry.example:5005/my-custom-maven-image variables: MAVEN_CLI_OPTS: "--batch-mode -s $CI_PROJECT_DIR/.m2/settings.xml" stages: - test test: stage: test script: - mvn $MAVEN_CLI_O

我想在JUNIT测试中使用Testcontainers,因此我创建了以下内容:

image: gitlab.registry.example:5005/my-custom-maven-image

variables:
  MAVEN_CLI_OPTS: "--batch-mode -s $CI_PROJECT_DIR/.m2/settings.xml"

stages:
  - test

test:
  stage: test
  script:
    - mvn $MAVEN_CLI_OPTS clean test
  services:
    - name: docker:dind
      alias: docker
      command:
        - /bin/sh
        - -c
        - "DOCKER_AUTH_CONFIG=`echo \"{\\\"auths\\\":{\\\"$CI_REGISTRY\\\":{\\\"username\\\":\\\"$CI_REGISTRY_USER\\\",\\\"password\\\":\\\"$CI_REGISTRY_PASSWORD\\\"}}}\"` && mkdir -p \"/root/.docker\" && echo \"${DOCKER_AUTH_CONFIG}\" > \"/root/.docker/config.json\" && cat /root/.docker/config.json && update-ca-certificates && dockerd-entrypoint.sh || exit"
  variables:
    # Instruct Testcontainers to use the daemon of DinD.
    DOCKER_HOST: "tcp://docker:2375"
    # Instruct Docker not to start over TLS.
    DOCKER_TLS_CERTDIR: ""
    DOCKER_TLS_VERIFY: 0
    # Improve performance with overlayfs.
    DOCKER_DRIVER: overlay2
当运行程序尝试生成dind容器时,这为我提供了以下输出:

{"auths":{"gitlab.registry.example:5005":{"username":"gitlab-ci-token","password":""}}}
如您所见,密码为空。在脚本之前,在
中打印
CI\u REGISTRY\u PASSWORD
变量,显示了我所期望的
[屏蔽]

我正要制造一个问题,但我想确保我所做的事事先没有错


更新:在gitlab runner项目中,它看起来确实像一个bug:
CI\u REGISTRY\u PASSWORD
变量在运行DinD服务的容器中根本不存在,它在作业容器中被正确设置

我以一种简化的方式重复使用您的示例,重现了您的问题:


测试:
阶段:测试
脚本:
-echo“注册表$CI\U注册表-用户$CI\U注册表\U用户-密码$CI\U注册表\U密码”
#-睡眠9999
服务:
-姓名:docker:dind
别名:docker
命令:
-/bin/sh
--c
-echo“Registry$CI_Registry-User$CI_Registry\u User-Password$CI_Registry\u Password”和&dockerd-entrypoint.sh|退出


这在Gitlab UI中显示:


# Services logs (not always shown)
Registry registry.novadiscovery.net - User gitlab-ci-token - Password 

# Script logs
$ echo "Registry $CI_REGISTRY - User $CI_REGISTRY_USER - Password $CI_REGISTRY_PASSWORD"
Registry registry.mycompany.com - User gitlab-ci-token - Password [MASKED]


起初,我认为这个变量在某种程度上隐藏在Gitlab log UI中,但它没有显示为
[masked]
。然而,当检查运行作业的底层容器时,我们可以看到DinD服务中确实缺少变量:


# Running docker inspect command on machine running Gitlab Runner

# Inspect DinD service container
# CI_REGISTRY_PASSWORD does not exists
docker inspect runner-zz-qri9h-project-663-concurrent-0-8f92ad27e7b78f1c-docker-0 | jq .[0].Config.Env | grep CI_REGISTRY
  "CI_REGISTRY_USER=gitlab-ci-token",
  "CI_REGISTRY=registry.mycompany.com",
  "CI_REGISTRY_IMAGE=registry.mycompany.com/pierre.beucher/sandbox",

# Inspect job container
# CI_REGISTRY_PASSWORD is set
docker inspect runner-zz-qri9h-project-663-concurrent-0-8f92ad27e7b78f1c-build-2 | jq .[0].Config.Env | grep CI_REGISTRY
  "CI_REGISTRY_USER=gitlab-ci-token",
  "CI_REGISTRY_PASSWORD=xxx",
  "CI_REGISTRY=registry.mycompany.com",
  "CI_REGISTRY_IMAGE=registry.mycompany.com/pierre.beucher/sandbox",


通过比较作业容器和服务容器之间的变量,似乎服务容器中缺少所有机密或合理的预定义CI变量。根据上述比较,缺少以下变量(可能还有其他变量):

在Gitlab
13.11.3
和Gitlab Runner
13.2.1


CI_JOB_TOKEN
CI_BUILD_TOKEN
CI_REGISTRY_PASSWORD
CI_REPOSITORY_URL
CI_DEPENDENCY_PROXY_PASSWORD
CI_JOB_JWT