0e8b5cfe59
The current Promenade image is vulnerable to several CVEs: CVE-2019-3462 CVE-2018-16865 CVE-2018-16864 Which Ubuntu 16.04/18.04 addresses. This patchset makes the following changes: 1. Adds new distro specific dockerfiles for xenial/bionic. 2. Updates gates to be specific about the ubuntu image being checked. 3. Updates .zuul.yaml checks/gates/post jobs for xenial/bionic. 4. Updates build-image.sh docker build for specific dockerfile specified in config.sh (IMAGE_PROMENADE_DISTRO). Change-Id: I89e5297a3baa8c2d2c142e5e29932476fc628398
121 lines
3.4 KiB
YAML
121 lines
3.4 KiB
YAML
- hosts: all
|
|
tasks:
|
|
- include_vars: vars.yaml
|
|
|
|
- name: Install Docker (Debian)
|
|
when: ansible_os_family == 'Debian'
|
|
block:
|
|
- file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
with_items:
|
|
- /etc/docker/
|
|
- /etc/systemd/system/docker.service.d/
|
|
- /var/lib/docker/
|
|
- mount:
|
|
path: /var/lib/docker/
|
|
src: tmpfs
|
|
fstype: tmpfs
|
|
opts: size=25g
|
|
state: mounted
|
|
- copy: "{{ item }}"
|
|
with_items:
|
|
- content: "{{ docker_daemon | to_json }}"
|
|
dest: /etc/docker/daemon.json
|
|
- src: files/docker-systemd.conf
|
|
dest: /etc/systemd/system/docker.service.d/
|
|
- apt_key:
|
|
url: https://download.docker.com/linux/ubuntu/gpg
|
|
- apt_repository:
|
|
repo: deb http://{{ zuul_site_mirror_fqdn }}/deb-docker xenial stable
|
|
- apt:
|
|
name: "{{ item }}"
|
|
allow_unauthenticated: True
|
|
with_items:
|
|
- docker-ce
|
|
- python-pip
|
|
- pip:
|
|
name: docker
|
|
version: 2.7.0
|
|
# NOTE(SamYaple): Allow all connections from containers to host so the
|
|
# containers can access the http server for git and wheels
|
|
- iptables:
|
|
action: insert
|
|
chain: INPUT
|
|
in_interface: docker0
|
|
jump: ACCEPT
|
|
become: True
|
|
|
|
- name: Debug tag generation inputs
|
|
block:
|
|
- debug:
|
|
var: publish
|
|
- debug:
|
|
var: tags
|
|
- debug:
|
|
var: distro
|
|
- debug:
|
|
var: zuul
|
|
- debug:
|
|
msg: "{{ tags | to_json }}"
|
|
|
|
- name: Determine tags
|
|
shell: echo '{{ tags | to_json }}' | python {{ zuul.project.src_dir }}/tools/image_tags.py
|
|
environment:
|
|
BRANCH: "{{ zuul.branch | default('') }}"
|
|
CHANGE: "{{ zuul.change | default('') }}"
|
|
COMMIT: "{{ zuul.newrev | default('') }}"
|
|
PATCHSET: "{{ zuul.patchset | default('') }}"
|
|
register: image_tags
|
|
|
|
- name: Debug computed tags
|
|
debug:
|
|
var: image_tags
|
|
|
|
- name: Make images
|
|
when: not publish
|
|
block:
|
|
- make:
|
|
chdir: "{{ zuul.project.src_dir }}"
|
|
target: images
|
|
params:
|
|
DISTRO: "{{ distro }}"
|
|
IMAGE_TAG: "{{ item }}"
|
|
with_items: "{{ image_tags.stdout_lines }}"
|
|
|
|
- shell: "docker images"
|
|
register: docker_images
|
|
|
|
- debug:
|
|
var: docker_images
|
|
|
|
become: True
|
|
|
|
- name: Publish images
|
|
block:
|
|
- docker_login:
|
|
username: "{{ airship_promenade_quay_creds.username }}"
|
|
password: "{{ airship_promenade_quay_creds.password }}"
|
|
registry_url: "https://quay.io/api/v1/"
|
|
|
|
- make:
|
|
chdir: "{{ zuul.project.src_dir }}"
|
|
target: images
|
|
params:
|
|
DOCKER_REGISTRY: "quay.io"
|
|
IMAGE_PREFIX: "airshipit"
|
|
DISTRO: "{{ distro }}"
|
|
IMAGE_TAG: "{{ item }}"
|
|
COMMIT: "{{ zuul.newrev | default('') }}"
|
|
PUSH_IMAGE: "true"
|
|
with_items: "{{ image_tags.stdout_lines }}"
|
|
|
|
- shell: "docker images"
|
|
register: docker_images
|
|
|
|
- debug:
|
|
var: docker_images
|
|
|
|
when: publish
|
|
become: True
|