And it keeps failing. When I shell into the image, I find that pgrep is missing, ls -l /usr/bin confirms that it's not just missing from the path somehow. The image (registry.gitlab.com/gitlab-org/gitlab-runner:ubi-fips) doesn't have ps either, so I'm not real sure how to replace pgrep.
I'll probably vendor this image directly, add pgrep, and then deploy it.
yum install pgrepUpdating Subscription Management repositories.Unable to read consumer identityThis system is not registered with an entitlement server. You can use subscription-manager to register.
But I can delete the readniness probe, which I've done for the time being.
Literally all they need to do is add this to their dockerfile for the runner: ‘yum install -y pgrep’. If someone can point me at the source code I can do it myself. It’s taking orders of magnitude more time to plan this than it would to do it.
And the fact GitLab didn’t catch this automatically means there is no automated test deployment of this capability in place as the error causes a crash back off in k8s at deploy time. A pretty bad detail when one considers this is a basic failure in DevSecOps, GitLab’s specialty.
I’m about to start building a multi-tenant DevSecOps platform to support multiple contracts at a sizable DoD contractor and this will mean I’m seeing if GitHub has FIPS runners and if those aren’t broken out of the box. Everyone will be starting with the free versions initially but I’m sure plenty of contracts will include paid licenses.
@DarrenEastman please get a hold of someone in GitLab who can get things done to resolve this. I like GitLab better, but that this error got through without being caught, meaning there is no automated deploy as a CI check, has led me to be much more timid in my praise of GitLab to others. I would really like to see this issue resolved.
Had a cadence call yesterday with thisGitLab Premiumcustomer where this topic came up. They are about to undergo a migration to consolidate another team into their primary infrastructure but they're worried that if this isn't fixed it may mean they need to hold off on moving those workloads.