Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/docker whitelist #26

Merged
merged 4 commits into from
Jan 18, 2018
Merged

Feature/docker whitelist #26

merged 4 commits into from
Jan 18, 2018

Conversation

wyvern8
Copy link
Collaborator

@wyvern8 wyvern8 commented Jan 17, 2018

if an env var GTM_DOCKER_IMAGE_WHITELIST is set, the docker executor will only pull and run images listed in this comma separated list.

if a command option is passed to the docker executor, it will only be run if :
GTM_DOCKER_COMMANDS_ALLOWED=true

also adding support for task options to passs env vars into docker containers using the task.options.env array. note format apocas/dockerode#130

@wyvern8
style(prettier): autoformat
be2955e
@wyvern8
feat(docker): whitelist support
900e0c4 
docker images supported can be limited by whitelist, and docker commands disabled
@Neko-Design
Copy link
Collaborator

@wyvern8 Looks good, but do we maybe want to externalise the whitelist config in a future change, as I can imagine a few situations where the whitelist might include potentially hundreds of items and it might get a bit cumbersome if we store it in env. Since the agent is a deployed thing and will (usually) have a mapped disk could we add a config file for allowed ones?

Neko-Design
Neko-Design approved these changes Jan 17, 2018
View reviewed changes
Copy link
Collaborator

@Neko-Design Neko-Design left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@wyvern8
fix(docker): whitelist regex and file list support
f3b109f 
whitelist entries are now treated as regex, and an optional GTM_DOCKER_IMAGE_WHITELIST_FILE can be
used for larger lists.
@wyvern8
Copy link
Collaborator Author

wyvern8 commented Jan 18, 2018
edited
Loading

@Neko-Design - true - whitelist file is a good idea for larger sets, so added this as GTM_DOCKER_IMAGE_WHITELIST_FILE to point at an approot relative file. also, each entry from either location is now treated as a regex so do not need to version lock ie. can do node:*

@wyvern8 wyvern8 merged commit dbd78f7 into master Jan 18, 2018
@Neko-Design Neko-Design deleted the feature/docker-whitelist branch January 28, 2018 22:28
@snyk-bot snyk-bot mentioned this pull request Apr 1, 2021
Closed
@snyk-bot snyk-bot mentioned this pull request Aug 23, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Neko-Design Neko-Design Neko-Design approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wyvern8 @Neko-Design