[Feature flag] Rollout of `improved_container_scan_matching`
Summary
This issue is to rollout improved container scan matching on production,
that is currently behind the improved_container_scan_matching
feature flag.
&5577 (closed) contains full background. This feature introduces a new CI variable (CS_DEFAULT_BRANCH_IMAGE
) and vulnerability fingerprinting logic, which allows users to customize image naming conventions without breaking vulnerability associations between feature branches and the default branch.
Owners
- Team: ~"group::container security"
- Most appropriate slack channel to reach out to:
#g_protect_container_security
- Best individual to reach out to: @bwill
- PM: @sam.white
Stakeholders
Expectations
What are we expecting to happen?
When a container scanning pipeline is run on a merge request with these conditions:
- The name of a docker image differs between the default branch and non-default branches
-
CS_DEFAULT_BRANCH_IMAGE
is set to the name of the image on the default branch - The
improved_container_scan_matching
feature flag is enabled
Then the security widget on the merge request should no longer display findings as newly detected if they are already detected on the default branch.
Before | After |
---|---|
Auto DevOps should begin displaying the desired behavior without any action required by the user.
What might happen if this goes wrong?
This feature touches a few different areas.
- The container-scanning analyzer is now adding a
default_branch_image
field to the security report job artifact (gitlab-org/security-products/analyzers/container-scanning!2602 (merged))- This is not behind a feature flag
- This artifact is parsed by the rails backend and stored in the
Vulnerabilities::Findings.location
field. This field is ajsonb
column and thus there is no database migration required in order to adddefault_branch_image
to it. If we were to revert the change, the existing records in the database would continue to have thedefault_branch_image
field. To fully revert the change, a database migration would be required to remove the field from records which have it.
- The container scanning report parser has new logic for calculating the location fingerprint (!73486 (merged))
- This is behind a feature flag
- Once enabled, the way that the location fingerprint and vulnerability uuid are calculated will change
when
CS_DEFAULT_BRANCH_IMAGE
is set, but only for scans on non-default branches. - Since this change is only applicable for branches which are expected to be merged into the default branch,
it should not be necessary to migrate existing records.
- Existing merge requests will see the results of the change as soon as a new pipeline is run
- Long-term vulnerability data resides on the default branch, which will not have its fingerprinting changed
- Even if a "stale MR" (no pipeline run after the change) is merged, a new pipeline will run on the default branch and this will be used for the vulnerability data
- Old merge requests will continue to show the old behavior until a new pipeline is run. It's unlikely that users will care about this since this data is not likely to be considered relevant once the MR is merged or closed.
- Auto DevOps will begin using new environment variables (!74627 (merged))
- This is not behind a feature flag
- This change should not have any effect on the behavior of Auto DevOps outside of Container Scanning
- The change may be reverted by reverting the MR with no side effects
What can we monitor to detect problems with this?
Rollout Steps
Rollout on non-production environments
- Ensure that the feature MRs have been deployed to non-production environments.
-
/chatops run auto_deploy status 5117aeb754f88e30592bce250bd64acd0552f130
-
-
Enable the feature globally on non-production environments. -
/chatops run feature set improved_container_scan_matching true --dev
-
/chatops run feature set improved_container_scan_matching true --staging
-
-
Verify that the feature works as expected. Posting the QA result in this issue is preferable. -
First test: #344534 (comment 749742441)
❌ QA failed.Re-test pending release of gitlab-org/security-products/analyzers/container-scanning!2615 (merged)
-
Second test: #344534 (comment 753671653)
✅ QA passed.
-
Specific rollout on production
- Ensure that the feature MRs have been deployed to both production and canary.
-
/chatops run auto_deploy status 5117aeb754f88e30592bce250bd64acd0552f130
-
- Enable the feature on these entries:
-
/chatops run feature set --project=gitlab-org/protect/demos/container-scanning-test improved_container_scan_matching true
-
/chatops run feature set --project=gitlab-org/security-products/analyzers/container-scanning improved_container_scan_matching true
-
/chatops run feature set --project=gitlab-org/gitlab improved_container_scan_matching true
-
/chatops run feature set --project=gitlab-org/gitlab-foss improved_container_scan_matching true
-
/chatops run feature set --project=gitlab-com/www-gitlab-com improved_container_scan_matching true
-
-
Verify that the feature works on the specific entries. Posting the QA result in this issue is preferable. -
First test: #344534 (comment 755353251)
✅ QA Passed
-
Preparation before global rollout
-
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. - It does not. This change is low-risk and does not introduce any new services. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation has been updated (More info). -
Announce on the feature issue an estimated time this will be enabled on GitLab.com.
Global rollout on production
All /chatops
commands that target production should be done in the #production
slack channel for visibility.
-
Incrementally roll out the feature. - Perform actor-based rollout.
-
/chatops run feature set improved_container_scan_matching <rollout-percentage> --actors
-
- Perform actor-based rollout.
-
Announce on the feature issue that the feature has been globally enabled. -
Wait for at least one day for the verification term.
(Optional) Release the feature with the feature flag
If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:
-
Create a merge request with the following changes. Ask for review and merge it. -
Set the default_enabled
attribute in the feature flag definition totrue
. -
Create a changelog entry.
-
-
Ensure that the default-enabling MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. -
/chatops run auto_deploy status 5117aeb754f88e30592bce250bd64acd0552f130
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Set the next milestone to this rollout issue for scheduling the flag removal. -
(Optional) You can create a separate issue for scheduling the steps below to Release the feature. -
Set the title to "[Feature flag] Cleanup <feature-flag-name>
". -
Execute the /copy_metadata <this-rollout-issue-link>
quick action to copy the labels from this rollout issue. -
Link this rollout issue as a related issue. -
Close this rollout issue.
-
WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
-
Create a merge request to remove improved_container_scan_matching
feature flag. Ask for review and merge it.-
Remove all references to the feature flag from the codebase. -
Remove the YAML definitions for the feature from the repository. -
Create a changelog entry.
-
-
Ensure that the cleanup MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. -
/chatops run auto_deploy status 5117aeb754f88e30592bce250bd64acd0552f130
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Clean up the feature flag from all environments by running these chatops command in #production
channel:-
/chatops run feature delete improved_container_scan_matching --dev
-
/chatops run feature delete improved_container_scan_matching --staging
-
/chatops run feature delete improved_container_scan_matching
-
-
Close this rollout issue.
Rollback Steps
-
This feature can be disabled by running the following Chatops command:
/chatops run feature set improved_container_scan_matching false
To fully rollback, the following merge requests would need to be reverted:
- gitlab-org/security-products/analyzers/container-scanning!2602 (merged)
- !74627 (merged)
- gitlab-org/security-products/analyzers/container-scanning!2615 (merged)
A DB migration would also need to be performed to clean up default_branch_image
values from the database.
Verification steps
Test with Auto DevOps
-
Create a new project
-
Go to Settings -> CI/CD -> Auto DevOps and make sure that
Default to Auto DevOps pipeline
is checked -
Click
New File
to open the Web IDE -
Create a
Dockerfile
with the following content:FROM debian:10
-
Commit your changes to
main
-
New CI pipeline runs on
main
-
Go to Security & Compliance -> Vulnerability Report and verify that there are security vulnerabilities
-
Create a new branch and add any new commit (i.e. Add README.md).
-
Open a merge request against
main
. -
New CI pipeline runs on merge request
-
Observe that no new vulnerabilities are added
Test without Auto DevOps
-
Create a new project
-
Click
New File
to open the Web IDE -
Create a
.gitlab-ci.yml
with the following content:include: - template: Jobs/Build.gitlab-ci.yml - template: Security/Container-Scanning.gitlab-ci.yml variables: CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/$CI_DEFAULT_BRANCH:$CI_COMMIT_SHA
-
Create a
Dockerfile
with the following content:FROM debian:10
-
Commit your changes to
main
-
New CI pipeline runs on
main
-
Go to Security & Compliance -> Vulnerability Report and verify that there are security vulnerabilities
-
Create a new branch and add any new commit (i.e. Add README.md).
-
Open a merge request against
main
. -
New CI pipeline runs on merge request
-
Observe that no new vulnerabilities are added
CS_DEFAULT_BRANCH_IMAGE
Test without -
Create a new project
-
Click
New File
to open the Web IDE -
Create a
.gitlab-ci.yml
with the following content:variables: DOCKER_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA build: image: docker:latest stage: build services: - docker:dind script: - docker info - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY - docker build -t $DOCKER_IMAGE . - docker push $DOCKER_IMAGE include: - template: Security/Container-Scanning.gitlab-ci.yml
-
Create a
Dockerfile
with the following content:FROM debian:10
-
Commit your changes to
main
-
New CI pipeline runs on
main
-
Go to Security & Compliance -> Vulnerability Report and verify that there are security vulnerabilities
-
Create a new branch and add any new commit (i.e. Add README.md).
-
Open a merge request against
main
. -
New CI pipeline runs on merge request
-
Observe that no new vulnerabilities are added