Gitlab 共享 runner 安全疑虑
Gitlab shared runner safety doubts
我的计划是使用 GitLab 管道构建 Maven 应用程序并将其部署到 AWS Elastic Beanstalk。在研究过程中,我发现了 this 页面。
If you are using gitlab.com there is a shared runner by default which you can use. Note this runner is shared with other users that means it may mean you have to wait in a que until another user’s build has completed, cannot scale and also mean that you may not use the shared runner builds including variables which may be exposed in a shared runner.
我很困惑。所有构建都在 docker 内完成,据我所知,无法查看我的代码、部署凭据或构建的工件。那么在我的情况下使用共享运行器是否安全?我只是想确保我的代码、用于部署和构建 jar 的凭据/密钥是安全的。
示例代码:
development:
type: deploy
environment: production
script:
- mkdir ~/.aws/
- touch ~/.aws/credentials
- printf "[eb-cli]\naws_access_key_id = %s\naws_secret_access_key = %s\n" "$AWS_ACCESS_KEY_ID" "$AWS_SECRET_ACCESS_KEY" >> ~/.aws/credentials
- touch ~/.aws/config
- printf "[profile eb-cli]\nregion=ap-southeast-1\noutput=json" >> ~/.aws/config
- eb deploy funwitheb-production
only:
- master
我搜索了一段时间后找不到任何可靠的基于 Gitlab-docs 的证据,但我也从来没有在共享运行器上执行作业时实际读取其他用户的变量。
我也找不到任何与此相关的 GitLab 问题(即有人 "accidentally" 看到别人的变量)所以 security/privacy-wise 它看起来不错。
我已经给文章的作者发了邮件。
文章来自 2016 年。此信息不是最新的。所以这可能不再是问题了。
以下是更多信息:
https://gitlab.com/gitlab-org/gitlab-runner/blob/master/docs/security/index.md
Docker can be considered safe when run in non-privileged mode. To make such
setup more secure it's advised to run jobs as user (non-root) in Docker containers
with disabled sudo or dropped SETUID and SETGID capabilities.
我的计划是使用 GitLab 管道构建 Maven 应用程序并将其部署到 AWS Elastic Beanstalk。在研究过程中,我发现了 this 页面。
If you are using gitlab.com there is a shared runner by default which you can use. Note this runner is shared with other users that means it may mean you have to wait in a que until another user’s build has completed, cannot scale and also mean that you may not use the shared runner builds including variables which may be exposed in a shared runner.
我很困惑。所有构建都在 docker 内完成,据我所知,无法查看我的代码、部署凭据或构建的工件。那么在我的情况下使用共享运行器是否安全?我只是想确保我的代码、用于部署和构建 jar 的凭据/密钥是安全的。
示例代码:
development:
type: deploy
environment: production
script:
- mkdir ~/.aws/
- touch ~/.aws/credentials
- printf "[eb-cli]\naws_access_key_id = %s\naws_secret_access_key = %s\n" "$AWS_ACCESS_KEY_ID" "$AWS_SECRET_ACCESS_KEY" >> ~/.aws/credentials
- touch ~/.aws/config
- printf "[profile eb-cli]\nregion=ap-southeast-1\noutput=json" >> ~/.aws/config
- eb deploy funwitheb-production
only:
- master
我搜索了一段时间后找不到任何可靠的基于 Gitlab-docs 的证据,但我也从来没有在共享运行器上执行作业时实际读取其他用户的变量。
我也找不到任何与此相关的 GitLab 问题(即有人 "accidentally" 看到别人的变量)所以 security/privacy-wise 它看起来不错。
我已经给文章的作者发了邮件。 文章来自 2016 年。此信息不是最新的。所以这可能不再是问题了。 以下是更多信息: https://gitlab.com/gitlab-org/gitlab-runner/blob/master/docs/security/index.md
Docker can be considered safe when run in non-privileged mode. To make such setup more secure it's advised to run jobs as user (non-root) in Docker containers with disabled sudo or dropped SETUID and SETGID capabilities.