我有一个包含以下内容的 Makefile:
docker-compose.yml:
wget https://gitlab.com/dependabot-gitlab/dependabot/-/raw/v0.34.0/docker-compose.yml
docker run --rm -v ${PWD}:${PWD} -w ${PWD} mikefarah/yq:3 yq delete -i docker-compose.yml 'services[*].ports'
运行
make docker-compose.yml
按预期工作,下载并破解目标 docker-compose.yml 远程文件。
但是,如果我配置 GitLab CI 作业来运行此命令:
deploy:
image: docker:20.10
services:
- docker:20.10-dind
before_script:
- apk add make wget
- make docker-compose.yml
script: docker-compose up -d
我有以下错误:
$ make docker-compose.yml
wget https://gitlab.com/dependabot-gitlab/dependabot/-/raw/v0.34.0/docker-compose.yml
make: wget: Operation not permitted
make: *** [Makefile:5: docker-compose.yml] Error 127
但是将
make docker-compose.yml
命令内容直接复制粘贴到 CI 作业脚本中,如下所示:
deploy:
# ...
before_script:
- apk add wget
# Copy of make docker-compose.yml
# For "reasons", using the make command end to a "wget: Operation not permitted" error.
- wget https://gitlab.com/dependabot-gitlab/dependabot/-/raw/v0.34.0/docker-compose.yml
- docker run --rm -v ${PWD}:${PWD} -w ${PWD} mikefarah/yq:3 yq delete -i docker-compose.yml 'services[*].ports'
# ...
为什么我在 CI 作业中使用
make
没有相同的行为,如何解决这个问题以避免逻辑重复?
出于安全原因,seccomp 限制了 docker 容器可以执行的操作。
在 gitlab 运行程序的 toml 文件中添加以下内容以关闭 seccomp:
[runners.docker]
security_opt = ["seccomp:unconfined"]
通常这是可以接受的风险!
您可以在此处阅读有关修剪 seccomp 的更多信息:https://docs.docker.com/engine/security/seccomp