Unverified Commit a79b186f authored by intrigeri's avatar intrigeri
Browse files

gitlab-triage: migrate from Docker to podman

Using containers with unprivileged user namespaces is safer than running an
all-powerful Docker daemon, which requires either using root to interact with
(as we did previously), or adding one's regular user to the "docker"
group (which is equivalent to turning it into root).
parent 4bec32e0
Pipeline #2420 passed with stage
in 5 minutes and 6 seconds
......@@ -8,7 +8,7 @@ rm -f config/gitlab-triage/policies/stalled.yml
./config/gitlab-triage/bin/generate-stalled-policy \
> config/gitlab-triage/policies/stalled.yml
sudo "$(dirname "$0")"/../config/gitlab-triage/bin/gitlab-triage \
"$(dirname "$0")"/../config/gitlab-triage/bin/gitlab-triage \
--source-id tails --source groups \
--policies-file /etc/gitlab-triage-policies/stalled.yml \
"${@}"
......@@ -4,7 +4,7 @@ set -e
set -u
set -x
export DOCKER_ARGS="--env VERSION --env NEXT_PLANNED_VERSION"
export PODMAN_ARGS="--env VERSION --env NEXT_PLANNED_VERSION"
"$(dirname "$0")"/../config/gitlab-triage/bin/gitlab-triage \
--source-id tails --source groups \
......
#!/bin/sh
set -e
set -u
set -x
# Update Docker image tails:gitlab-triage-stable is based on
docker image pull debian:stable
# Build our own Docker image
docker build --tag tails:gitlab-triage-stable "$(dirname "$0")/.."
# Remove dangling Docker images
docker image prune --force
#!/bin/sh
set -e
set -u
set -x
# Update the image tails:gitlab-triage-stable is based on
podman image pull debian:stable
# Build our own container image
podman build --tag tails:gitlab-triage-stable "$(dirname "$0")/.."
# Remove dangling container images
podman image prune --force
#! /bin/sh
# Wrapper to run gitlab-triage (https://gitlab.com/gitlab-org/gitlab-triage)
# in Docker
# in a container
set -e
set -u
......@@ -9,10 +9,10 @@ set -x
GITLAB_TRIAGE_POLICIES_DIR="$(readlink -f "$(dirname "$0")"/../policies)"
docker run \
podman run \
--name tails-gitlab-triage \
--rm \
--volume "${GITLAB_TRIAGE_POLICIES_DIR}":/etc/gitlab-triage-policies \
${DOCKER_ARGS:-} \
${PODMAN_ARGS:-} \
tails:gitlab-triage-stable \
/usr/local/bin/gitlab-triage "${@}"
......@@ -25,7 +25,10 @@ Packages
To release Tails you'll need some packages installed:
* `docker.io gitlab-cli jq tidy mktorrent python3-bs4 python3-debian python3-gitlab python3-jinja2 python3-voluptuous transmission-cli`
* `gitlab-cli jq tidy mktorrent podman python3-bs4 python3-debian python3-gitlab python3-jinja2 python3-voluptuous transmission-cli`
- Note: if the Debian version you are running does not include all required
Go packages, such as [[!debpts podman]], you should be able to install
them from a more recent Debian release with APT pinning.
* [[!debpts squashfs-tools]] 1:4.4-1+0.tails1
from our custom `iukbuilder-stretch` APT suite.
* `perl5lib` [[dependencies|contribute/release_process/perl5lib#build-deps]]
......@@ -38,6 +41,18 @@ To release Tails you'll need some packages installed:
* `i18nspector` 0.26 or newer
* packages to [[build a local version of the website|contribute/build/website/]]
System configuration
--------------------
- Enable unprivileged user namespaces
If you're running a Debian kernel older than 5.10.1-1~exp1,
set the `kernel.unprivileged_userns_clone` sysctl to 1:
echo 'kernel.unprivileged_userns_clone=1' \
| sudo tee /etc/sysctl.d/unprivileged-user-namespaces.conf && \
&& sudo sysctl -p
Configuration files
-------------------
......@@ -1441,23 +1456,20 @@ Skip this part if preparing a release candidate.
submit a MR against [[!tails_gitlab tails/gitlab-config]]
to create one.
2. Ensure you have an up-to-date `tails:gitlab-triage-stable` Docker image:
2. Ensure you have an up-to-date `tails:gitlab-triage-stable` container image:
cd "${MASTER_CHECKOUT:?}" && \
git checkout master && \
sudo ./config/gitlab-triage/bin/ensure-up-to-date-Docker-image
./config/gitlab-triage/bin/ensure-up-to-date-container-image
3. Postpone to the next scheduled release any remaining open issue and merge
request whose milestone is the version you've just released:
cd "${MASTER_CHECKOUT:?}" && \
git checkout master && \
sudo \
VERSION="${VERSION:?}" \
NEXT_PLANNED_VERSION="${NEXT_PLANNED_VERSION:?}" \
./bin/gitlab-triage-post-release \
--host-url "$(bin/gitlab-url TailsRM)" \
--token "$(bin/gitlab-api-token TailsRM)"
./bin/gitlab-triage-post-release \
--host-url "$(bin/gitlab-url TailsRM)" \
--token "$(bin/gitlab-api-token TailsRM)"
4. Finally, submit a MR against [[!tails_gitlab tails/gitlab-config]] to:
......
......@@ -90,7 +90,7 @@ that we can use as a basis to explain why we're removing the milestone.
To run the automated triaging processes described below, execute
the following commands:
sudo ./config/gitlab-triage/bin/ensure-up-to-date-Docker-image && \
./config/gitlab-triage/bin/ensure-up-to-date-container-image && \
./bin/gitlab-triage-gardener \
--host-url "$(bin/gitlab-url TailsGardener)" \
--token "$(bin/gitlab-api-token TailsGardener)"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment