-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move privileged flag to yaml file #849
Comments
TL;DR: I don't think flags to elevate container permissions should be present in the YAML unless they can be encrypted. I'm not sure I like exposing any of the Docker privileges in the YAML file. Yes, it's possible (like is done today) to not build PR's with these Docker privileges... but consider the case where I have tests that need elevated privileges, to access Netlink or My suggestion would be to use the finer grained permissions available in Docker - As such, I'm 👍 for separating between An example policy might be:
Having these in a policy will remove the assumptions on trust that are in the code today and place it all under the users's control. If we want to allow all configuration to live in the YAML, allowing certain parts of the YAML to be encrypted with a repo-specific token would reduce the risk of unwanted tampering (making it safer to apply trust to all PR's for a given repo) e.g cat << EOF > foo.yml
privileged: true
net: host
volume: {{VOLUME_NAME}}:/opt/bar
EOF
drone encrypt my_repo foo.yml
f3d7f8a9930dabf485fce74ffaad6941a554c182 Then this could be used as follows in ---
docker:
encrypted: f3d7f8a9930dabf485fce74ffaad6941a554c182 Assuming the file is decrypted before it's variables are injected, you can still use private variables to capture any host specifics. |
Thanks for weighing in. Some great points.
What about diffing the YAML files? We could compare the YAML to the prior run and halt the build for manual review and execution if changes were made. In fact, we would probably do this for all non-admin pull requests to public repositories labeled as trusted (which I believe you suggested in another thread). Encryption is another option. We initially avoided encryption in favor of private environment variables so that you could fork a repository and supply the same named, private variables. I'm not opposed to re-thinking this strategy. |
diffing the YAML sounds good. |
Just seen this now. I think diffing would actually be the cleanest solution! 👍 |
👍 but for the reason that I want to pass specific limitations rather than just "privileged for everything" |
diffing the YAML and then not allowing builds for untrusted users would be a great way to improve the security of the builds in public repos. It would also be useful if the diffing could be extended to other specified files, like upload scripts etc. although this is less important. I think once you have the ability to stop builds from non-trusted users that change the code executed on the build server the system will become much more secure. |
does this have to happen in release 0.4.0 only? I can provide a patch to master right now just like the docker tty mode |
I would like to move the
Privileged
field to the Docker section of the yaml file:And then change the
Privileged
field toTrusted
:Note that for compatibility reasons we should leave the database field alone (as
repo_privileged
) to avoid complicating our migrations.The reasons for this change is that we are adding features (like Volume support) that require elevated privileges in order to enable. Enabling volumes, however, does not mean that someone wants to run the build in a Docker container with privileged mode. This is why I think it makes sense to start differentiating between
trusted
andprivileged
The text was updated successfully, but these errors were encountered: