Test secure analyzers running as non-root user in OpenShift environment
Problem to solve
As part of Engineering discovery: allow secure analyzer docker containers to run as a non-root user to support OpenShift, the following analyzers were updated to run as a non-root user:
- bundler-audit
- gemnasium root
- gemnasium-maven
- gemnasium-python
- retire.js
However, an OpenShift testing instance was not available at the time, so we've been unable to test these analyzers to ensure that they work properly in an OpenShift environment.
The purpose of this issue is to test the above analyzers in an OpenShift environment, which will be possible once Openshift Secure testing has been completed.
Intended users
Proposal
Expand for previous proposal
Add automated tests for the following anlayzers to ensure that they function correctly in an OpenShift environment:
-
bundler-audit -
gemnasium -
gemnasium-maven -
gemnasium-python -
retire.js
Manually test the following analyzers to ensure that they function correctly in an OpenShift environment:
How to test:
-
Log in to the Red Hat Open Shift instance using the credentials from the
Secure Openshift
in the GitLab engineering 1Password vault -
Go to the MR of the analyzer project to be tested, then from there to the
Build QA image
MR -
Open the
build tmp image
job of the last pipeline, scroll down, and click on one of the links that sets up a new pipeline in one of the supported test project; see details -
Check the results of the pipeline and ensure it passed. For example, the following job failed for retire.js:
RUNNING ANALYZER registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js/tmp:f392863c9e5c234322572b33c1f0b5497ae238e6 $ whoami 1000580000 $ ls -al /etc/gitconfig -rw-rw-r-- 1 root gitlab 0 Dec 7 01:57 /etc/gitconfig $ /analyzer run [INFO] [Retire.js] [2021-01-18T23:45:36Z] ▶ GitLab Retire.js analyzer v2.10.0 [INFO] [Retire.js] [2021-01-18T23:45:36Z] ▶ Detecting project [INFO] [Retire.js] [2021-01-18T23:45:36Z] ▶ Found project in /builds/root/js-npm [INFO] [Retire.js] [2021-01-18T23:45:36Z] ▶ Running analyzer [INFO] [Retire.js] [2021-01-18T23:45:36Z] ▶ Using python 3 [DEBU] [Retire.js] [2021-01-18T23:45:36Z] ▶ /usr/local/bin/npm config set python /usr/bin/python3 npm ERR! code EACCES npm ERR! syscall open npm ERR! path /.npmrc npm ERR! errno -13 npm ERR! npm ERR! Your cache folder contains root-owned files, due to a bug in npm ERR! previous versions of npm which has since been addressed. npm ERR! npm ERR! To permanently fix this problem, please run: npm ERR! sudo chown -R 1000580000:0 "/.npm" [ERRO] [Retire.js] [2021-01-18T23:45:36Z] ▶ Could not set Python version exit status 243
-
If the job fails, figure out why this is happening and fix the corresponding analyzer. See this discussion for more details
What does success look like, and how can we measure that?
All secure analyzers that run as a non-root user can successfully be used in an OpenShift environment.
What is the type of buyer?
Enterprise Edition GitLab Ultimate
Is this a cross-stage feature?
No, this only affects ~"Category:Dependency Scanning"