Migrate existing proof-of-concept node ci templates to slim node wm node docker images and install necessary packages via apt and npm. This was recommended by Release-Engineering-Team but there is still some debate regarding this security model (T291978).
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | sbassett | T289290 Design and Build Application Security Pipeline Components for Gitlab | |||
Resolved | brennen | T289292 Create Security Team group within gitlab.wikimedia.org | |||
Resolved | sbassett | T289293 Create initial proof of concept application security pipeline repository | |||
Invalid | thcipriani | T294306 Migrate existing proof-of-concept node ci templates to slim node wm node docker images |
Event Timeline
This... didn't work out. The slim node images didn't even have npm available within them, which is a chore to install by itself with a specific, dated version of Node. Anyhow, the devel images work just fine and don't appear to hamper performance much, if at all, so we should use those for now IMO and avoid making our lives much more difficult than they need be.
Hello Release-Engineering-Team - I know that we had discussed using various slim images for our Gitlab CI templates, particularly the nodejs images, but those appeared to be more problematic given that they didn't even have npm installed. So I went with the -devel images, which worked well and seemed performant? See my more detailed write-up here within the context of my experiments with the auditjs SCA tool here: T294311#7483920.
Hey @thcipriani -
Just wondering if you and/or @brennen had any feedback on this and what I wrote at T294311#7483920. Given some of the discussions around Wikimedia Gitlab runner strategies at T295481, T292094 and T291978, I think the Security-Team's most immediate concerns are that our current ci template strategy is still sound and shouldn't run into issues around apt, npm, etc. package installation on top of base docker-registry.w.o images and any potential performance concerns. Thanks.
Sorry for the re-open on the task, just wanted to be sure I'd have a reminder to comment here. We can move the discussion over to T294311.