Comments (5)
a PR for this would be great.
We could add a checkbox from the repository settings screen to toggle privileged mode. My initial thinking is, if a commit-hook-triggered build requires privileged mode, so does a pull-request-triggered build. Perhaps in this case you disable pull requests? We have a checkbox for this.
Or we could make this a system administrator function. Since privileged mode could pose an overall security issue, maybe the system administrator should be responsible for toggling the privileged flag for a repository.
I think the first option is the easiest, for now, since we don't need to design an entire set of new admin screens. Thoughts?
from gitness.
I think it has to be a system administrator function. With "actual" root in a container all bets are off (reboot the host by echoing to /proc/sysrq-trigger
). Docker/LXC uses AppArmor, and that helps, but I don't know how much people trust it with root + user-injected code. I may be preaching to the choir here; just want to make sure we're on the same page.
That being said, having automated CI for pull requests is very nice, so I wouldn't want it disabled entirely. I'd treat it with the same scrutiny as secure env vars, which shouldn't be exposed to external pull requests. Once the PR is merged the the build will go again, this time privileged, but by this point it's been vetted by a trusted user.
from gitness.
yep, on the same page
let's only set Docker's Privileged=true
where len(repo.PullRequest) == 0
, and add a screen to the sysadmin section to toggle privileged mode.
from gitness.
Started working on this; not ready for a PR yet but making progress. It's rebased on top of #83 since that fixes the 'privileged' typo more thoroughly.
See https://github.com/vito/drone/commits/privileged-builds
I've started building out some testing infrastructure. Still a WIP; I'd like the docker client to be injected, so the tests aren't mutating global state to fake it out. Haven't tested that this actually works yet either.
By the way, I usually use Ginkgo/Gomega for testing. It provides a rich set of matchers, BDD-style testing, and a lot of nice concurrency-focused primitives. What would you think of adopting it? (I won't sneak it into this PR. :) )
from gitness.
yes, sounds good. I merged #83 last night
I haven't tried gomega, however, we've been playing around with goconvey. let me know what you think:
https://github.com/drone/drone/blob/master/pkg/handler/testing/users_test.go
from gitness.
Related Issues (20)
- Drone use PAT owner account for git commit HOT 1
- Cannot use expression variables in pipeline HOT 2
- feat: is it possible to recreate frontend(web) with nextjs? HOT 1
- The pipelines are unable to function properly when reading secrets. HOT 1
- any plan to release public cloud hosting? HOT 1
- Deploying Code on Different Runners based on Branches in Drone CI/CD HOT 1
- Helm chart missing index file HOT 1
- Opensource Website? HOT 1
- Git HTTPS Protocol - New Branch Creation Rule Not Blocking Push from CLI but Works via UI HOT 2
- Project and repo deletion actually do not delete the db spaces + repos, and do not free disk space HOT 1
- Pipeline Only Mode HOT 1
- Bug: Improve public repositories experience when visited HOT 1
- Feature request: explore tab
- Using drone is a real pain
- Gitness Integration with Open Source Dev Environment Manager. HOT 2
- Gitness Integration support HOT 1
- Gitness Api HOT 3
- Error: Changes blocked by files exceeding the file size limit HOT 2
- using pipelines with Docker-in-Docker samples, Error: mount: permission denied
- Gitness - Unauthenticated Git Pulls HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitness.