Re: Changes to GitLab runners configuration

From: Jordan Petridis <jordan alatiera com>
To: Bastien Nocera <hadess hadess net>
Cc: Bartłomiej Piotrowski <bpiotrowski gnome org>, desktop-devel-list <desktop-devel-list gnome org>
Subject: Re: Changes to GitLab runners configuration
Date: Mon, 24 Feb 2020 18:46:18 +0000

Hi,

Is there anything else that needs to be done?


No there isn't, it was working properly when it was first rolled out. I've started seen this issue today and 
looks like it only affecting some runners, so I am guessing something got updated or new runners where added. 
Bart is on vacation till Monday so let's poke av I guess.

Cheers,
Jordan



‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, February 24, 2020 11:11 AM, Bastien Nocera <hadess hadess net> wrote:

On Wed, 2020-02-19 at 14:50 +0100, Bartłomiej Piotrowski wrote:

Hello,
For historical reasons™ all GitLab runners were running with
privileged
mode enabled. The happy side effect of this fact is that nothing
special
was ever needed to run Docker or flatpak builds. It also means we
were
extremely lucky that no one abused CAP_SYS_ADMIN and other elevated
privileges for bad things.
For past few days I've been working to ensure that Flatpak builds are
still functional without additional privileges. If your project is
using
citemplates[1], the configuration change should be invisible to your
pipelines and you can keep on doing awesome GNOME work. However, if
you
have modified default steps via 'extends' keyword (or by defining
them
completely manually), please make sure that:


It seems like this isn't quite working as it should. This MR is porting
sound-juicer to meson:
https://gitlab.gnome.org/GNOME/sound-juicer/-/merge_requests/6

It uses the flatpak_ci_initiative.yml template and throws this error:
bwrap: Creating new namespace failed, likely because the kernel does
not support user namespaces. bwrap must be installed setuid on such
systems.

1.  you are using the
    registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome image or
    your
    image does not run as root,


From the template:
.flatpak:
image: 'registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome:master'

2.  jobs using flatpak/flatpak-builder have "flatpak" tag defined,


From the template:
tags:
- flatpak
And in the pipeline output:
https://gitlab.gnome.org/GNOME/sound-juicer/-/jobs/606529

3.  flatpak-builder invocation includes --user -disable-rofiles-fuse
    for
    building; 'flatpak-builder --run' includes --disable-rofiles-fuse.


In the template:
script:
- flatpak-builder --user --disable-rofiles-fuse --stop-at=${FLATPAK_MODULE} flatpak_app ${MANIFEST_PATH}
(also visible in the pipeline output).

Is there anything else that needs to be done?

If your project's pipeline is using Docker to build an image from
Dockerfile, consider switching to podman or buildah as they should
work
unprivileged.
The only exception from these changes are runners assigned to
gnome-build-meta.
If you encounter any problems with running CI unprivileged, please
poke
me on #sysadmin on irc.gnome.org or via Rocket.chat.


desktop-devel-list mailing list
desktop-devel-list gnome org
https://mail.gnome.org/mailman/listinfo/desktop-devel-list

References:
- Changes to GitLab runners configuration
  - From: Bartłomiej Piotrowski
- Re: Changes to GitLab runners configuration
  - From: Bastien Nocera

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]