Commit 040a84d1 authored by Daniel Juarez's avatar Daniel Juarez Committed by Alessio Caiazza

Allow disabling docker entrypoint overwrite

parent ad3eebfd
This diff is collapsed.
......@@ -34,6 +34,7 @@ concurrent = 4
host = ""
image = "ubuntu-upstart:14.04"
privileged = false
disable_entrypoint_overwrite = false
disable_cache = false
cache_dir = ""
[runners.docker.sysctls]
......
......@@ -176,26 +176,27 @@ This defines the Docker Container parameters.
| Parameter | Description |
| --------- | ----------- |
| `host` | Specify custom Docker endpoint, by default `DOCKER_HOST` environment is used or `unix:///var/run/docker.sock` |
| `hostname` | Specify custom hostname for Docker container |
| `runtime` | Specify a runtime for Docker container |
| `tls_cert_path` | When set it will use `ca.pem`, `cert.pem` and `key.pem` from that folder to make secure TLS connection to Docker (useful in boot2docker) |
| `image` | Use this image to run builds |
| `memory` | String value containing the memory limit |
| `memory_swap` | String value containing the total memory limit |
| `memory_reservation` | String value containing the memory soft limit |
| `cpuset_cpus` | String value containing the cgroups CpusetCpus to use |
| `cpus` | Number of CPUs (available in docker 1.13 or later) |
| `dns` | A list of DNS servers for the container to use |
| `dns_search` | A list of DNS search domains |
| `privileged` | Make container run in Privileged mode (insecure) |
| `userns_mode` | Sets the usernamespace mode for the container when usernamespace remapping option is enabled. (available in docker 1.10 or later) |
| `cap_add` | Add additional Linux capabilities to the container |
| `cap_drop` | Drop additional Linux capabilities from the container |
| `security_opt` | Set security options (--security-opt in docker run), takes a list of ':' separated key/values |
| `devices` | Share additional host devices with the container |
| `cache_dir` | Specify where Docker caches should be stored (this can be absolute or relative to current working directory). See `disable_cache` for more information. |
| `disable_cache` | The Docker executor has 2 levels of caching: a global one (like any other executor) and a local cache based on Docker volumes. This configuration flag acts only on the local one which disables the use of automatically created (not mapped to a host directory) cache volumes. In other words, it only prevents creating a container that holds temporary files of builds, it does not disable the cache if the Runner is configured in [distributed cache mode](autoscale.md#distributed-runners-caching). |
| `host` | Specify custom Docker endpoint, by default `DOCKER_HOST` environment is used or `unix:///var/run/docker.sock` |
| `hostname` | Specify custom hostname for Docker container |
| `runtime` | Specify a runtime for Docker container |
| `tls_cert_path` | When set it will use `ca.pem`, `cert.pem` and `key.pem` from that folder to make secure TLS connection to Docker (useful in boot2docker) |
| `image` | Use this image to run builds |
| `memory` | String value containing the memory limit |
| `memory_swap` | String value containing the total memory limit |
| `memory_reservation` | String value containing the memory soft limit |
| `cpuset_cpus` | String value containing the cgroups CpusetCpus to use |
| `cpus` | Number of CPUs (available in docker 1.13 or later) |
| `dns` | A list of DNS servers for the container to use |
| `dns_search` | A list of DNS search domains |
| `privileged` | Make container run in Privileged mode (insecure) |
| `disable_entrypoint_overwrite` | Disable the image entrypoint overwriting |
| `userns_mode` | Sets the usernamespace mode for the container when usernamespace remapping option is enabled. (available in docker 1.10 or later) |
| `cap_add` | Add additional Linux capabilities to the container |
| `cap_drop` | Drop additional Linux capabilities from the container |
| `security_opt` | Set security options (--security-opt in docker run), takes a list of ':' separated key/values |
| `devices` | Share additional host devices with the container |
| `cache_dir` | Specify where Docker caches should be stored (this can be absolute or relative to current working directory). See `disable_cache` for more information. |
| `disable_cache` | The Docker executor has 2 levels of caching: a global one (like any other executor) and a local cache based on Docker volumes. This configuration flag acts only on the local one which disables the use of automatically created (not mapped to a host directory) cache volumes. In other words, it only prevents creating a container that holds temporary files of builds, it does not disable the cache if the Runner is configured in [distributed cache mode](autoscale.md#distributed-runners-caching). |
| `network_mode` | Add container to a custom network |
| `wait_for_services_timeout` | Specify how long to wait for docker services, set to 0 to disable, default: 30 |
| `volumes` | Specify additional volumes that should be mounted (same syntax as Docker's `-v` flag) |
......
......@@ -687,9 +687,7 @@ func (e *executor) createService(serviceIndex int, service, version, image strin
if len(serviceDefinition.Command) > 0 {
config.Cmd = serviceDefinition.Command
}
if len(serviceDefinition.Entrypoint) > 0 {
config.Entrypoint = serviceDefinition.Entrypoint
}
config.Entrypoint = e.overwriteEntrypoint(&serviceDefinition)
hostConfig := &container.HostConfig{
RestartPolicy: neverRestartPolicy,
......@@ -867,9 +865,7 @@ func (e *executor) createContainer(containerType string, imageDefinition common.
Env: append(e.Build.GetAllVariables().StringList(), e.BuildShell.Environment...),
}
if len(imageDefinition.Entrypoint) > 0 {
config.Entrypoint = imageDefinition.Entrypoint
}
config.Entrypoint = e.overwriteEntrypoint(&imageDefinition)
nanoCPUs, err := e.Config.Docker.GetNanoCPUs()
if err != nil {
......@@ -1140,6 +1136,18 @@ func (e *executor) expandImageName(imageName string, allowedInternalImages []str
return e.Config.Docker.Image, nil
}
func (e *executor) overwriteEntrypoint(image *common.Image) []string {
if len(image.Entrypoint) > 0 {
if !e.Config.Docker.DisableEntrypointOverwrite {
return image.Entrypoint
}
e.Warningln("Entrypoint override disabled")
}
return nil
}
func (e *executor) connectDocker() (err error) {
client, err := docker_helpers.New(e.Config.Docker.DockerCredentials, DockerAPIVersion)
if err != nil {
......
......@@ -132,6 +132,83 @@ func TestDockerCommandWithAllowedImagesRun(t *testing.T) {
assert.NoError(t, err)
}
func TestDockerCommandDisableEntrypointOverwrite(t *testing.T) {
if helpers.SkipIntegrationTests(t, "docker", "info") {
return
}
tests := []struct {
name string
services bool
disabled bool
}{
{
name: "Disabled - no services",
disabled: true,
},
{
name: "Disabled - services",
disabled: true,
services: true,
},
{
name: "Enabled - no services",
},
{
name: "Enabled - services",
services: true,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
successfulBuild, err := common.GetRemoteSuccessfulBuild()
require.NoError(t, err)
successfulBuild.Image.Entrypoint = []string{"/bin/sh", "-c", "echo 'image overwritten'"}
if test.services {
successfulBuild.Services = common.Services{
common.Image{
Name: common.TestDockerDindImage,
Entrypoint: []string{"/bin/sh", "-c", "echo 'service overwritten'"},
},
}
}
build := &common.Build{
JobResponse: successfulBuild,
Runner: &common.RunnerConfig{
RunnerSettings: common.RunnerSettings{
Executor: "docker",
Docker: &common.DockerConfig{
Privileged: true,
Image: common.TestAlpineImage,
PullPolicy: common.PullPolicyIfNotPresent,
DisableEntrypointOverwrite: test.disabled,
},
},
},
}
var buffer bytes.Buffer
err = build.Run(&common.Config{}, &common.Trace{Writer: &buffer})
assert.NoError(t, err)
out := buffer.String()
if test.disabled {
assert.NotContains(t, out, "image overwritten")
assert.NotContains(t, out, "service overwritten")
assert.Contains(t, out, "Entrypoint override disabled")
} else {
assert.Contains(t, out, "image overwritten")
if test.services {
assert.Contains(t, out, "service overwritten")
}
}
})
}
}
func isDockerOlderThan17_07(t *testing.T) bool {
client, err := docker_helpers.New(
docker_helpers.DockerCredentials{}, docker.DockerAPIVersion)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment