[英]Docker in Jenkins and private modules
I'm looking for a way to securely clone private npm modules from a proxy repository inside a Docker container that is spun up by a Jenkins that runs on Ubuntu. I'm looking for a way to securely clone private npm modules from a proxy repository inside a Docker container that is spun up by a Jenkins that runs on Ubuntu. The Docker image will be thrown away, but it is supposed to compile the project and run the unit tests.
Docker 映像将被丢弃,但它应该编译项目并运行单元测试。
The Jenkinsfile
used for the build looks, simplified, like this:用于构建的
Jenkinsfile
看起来很简单,如下所示:
node('master') {
stage('Checkout from version control') {
checkout scm
}
stage('Build within Docker') {
docker.build("intermediate-image", ".")
}
}
The Dockerfile
at the moment:目前的
Dockerfile
:
FROM node:10-alpine
COPY package.json package-lock.json .npmrc ./
RUN npm ci && \
rm -f .npmrc
COPY . .
RUN npm run build && \
npm run test
The .npmrc
file (anonymized): .npmrc
文件(匿名):
@domain:registry=https://npm.domain.com/
//npm.domain.com/:_authToken=abcdefg
The problem is that the COPY
command creates a layer with the .npmrc
file.问题是
COPY
命令使用.npmrc
文件创建了一个层。 Should I build outside of my own Jenkins server, the layer would be cached by the build provider.如果我在自己的 Jenkins 服务器之外构建,该层将由构建提供程序缓存。
Or do I worry too much, considering that the image will not be published and the Jenkins is private too?还是我太担心了,考虑到图像不会发布并且 Jenkins 也是私有的?
What I want to achieve is that a build can use an arbitrary node version that is independent of that of the build server's.我想要实现的是构建可以使用独立于构建服务器的任意节点版本。
I have decided that, because the docker host is the same (virtual) machine as the Jenkins host, it is no problem if I bake the.npmrc file into a docker layer.我已经决定,因为 docker 主机与 Jenkins 主机是同一台(虚拟)机器,所以如果我将.npmrc 文件烘焙到 Z05B6053C41A2130AFD6FC3B158BDA4E6 层中是没有问题的。
Anyone with access to the Docker host can, currently, steal the local.npmrc token anyway.目前,任何有权访问 Docker 主机的人都可以窃取 local.npmrc 令牌。
Furthermore, the group that has access to our private npm modules is a complete subgroup of people with access to the source control repository.此外,可以访问我们的私有 npm 模块的小组是可以访问源代码控制存储库的完整子小组。 Therefore, exposing the npm token to the build machine, Jenkins, Docker intermediate image, Docker image layer and/or repository poses no additional authentication problems as of now.
Therefore, exposing the npm token to the build machine, Jenkins, Docker intermediate image, Docker image layer and/or repository poses no additional authentication problems as of now. Revoking access should then go hand in hand with rotating the npmrc token (so that removed developers do not use the build token), but that is a small attack surface, in any case waay smaller than people copying the code to a hard drive.
撤销访问权限应该 go 与旋转 npmrc 令牌携手并进(以便被删除的开发人员不使用构建令牌),但这是一个小的攻击面,无论如何都比人们将代码复制到硬盘驱动器要小。
We will have to re-evaluate our options should this setup change.如果此设置发生更改,我们将不得不重新评估我们的选项。 Hopefully, we will find a solution then, but it is not worth the trouble now.
希望那时我们会找到解决方案,但现在不值得麻烦。 One possible solution could be requesting the token from a different docker container with the sole purpose of answering these (local) calls.
一种可能的解决方案是从不同的 docker 容器请求令牌,其唯一目的是回答这些(本地)呼叫。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.