Page MenuHomePhabricator
Create Task
Maniphest T294306

Migrate existing proof-of-concept node ci templates to slim node wm node docker images
Closed, InvalidPublic
Actions

Description

Migrate existing proof-of-concept node ci templates to slim node wm node docker images and install necessary packages via apt and npm. This was recommended by Release-Engineering-Team but there is still some debate regarding this security model (T291978).

Related Objects
Search...

Event Timeline

sbassett created this task.Oct 25 2021, 9:27 PM
sbassett edited subscribers, added: TAdeleye_WMF; removed: Aklapper, Jcross, thcipriani and 2 others.Oct 25 2021, 9:34 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.Oct 26 2021, 7:42 PM
sbassett added a project: SecTeam-Processed.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.Oct 26 2021, 7:51 PM
sbassett closed this task as Invalid.Nov 5 2021, 1:23 AM
sbassett triaged this task as Lowest priority.

This... didn't work out. The slim node images didn't even have npm available within them, which is a chore to install by itself with a specific, dated version of Node. Anyhow, the devel images work just fine and don't appear to hamper performance much, if at all, so we should use those for now IMO and avoid making our lives much more difficult than they need be.

sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.Nov 5 2021, 1:23 AM
sbassett moved this task from In Progress to Done on the user-sbassett board.
sbassett mentioned this in T294311: Finish node/npm initial tool ci templates for auditjs (Node 10, 12, 14).Nov 5 2021, 2:09 AM
sbassett added a comment.Nov 8 2021, 6:53 PM

Hello Release-Engineering-Team - I know that we had discussed using various slim images for our Gitlab CI templates, particularly the nodejs images, but those appeared to be more problematic given that they didn't even have npm installed. So I went with the -devel images, which worked well and seemed performant? See my more detailed write-up here within the context of my experiments with the auditjs SCA tool here: T294311#7483920.

sbassett added a project: Release-Engineering-Team.Nov 8 2021, 6:54 PM
thcipriani reopened this task as Open.Nov 10 2021, 6:34 PM
thcipriani claimed this task.
In T294306#7490362, @sbassett wrote:

Hello Release-Engineering-Team - I know that we had discussed using various slim images for our Gitlab CI templates, particularly the nodejs images, but those appeared to be more problematic given that they didn't even have npm installed. So I went with the -devel images, which worked well and seemed performant? See my more detailed write-up here within the context of my experiments with the auditjs SCA tool here: T294311#7483920.

I'll get you a more detailed reply once I'm clear of meetings

thcipriani edited projects, added Release-Engineering-Team (Doing); removed Release-Engineering-Team.Nov 10 2021, 6:34 PM
sbassett added a subscriber: brennen.Nov 15 2021, 5:21 PM
In T294306#7496841, @thcipriani wrote:

I'll get you a more detailed reply once I'm clear of meetings

Hey @thcipriani -

Just wondering if you and/or @brennen had any feedback on this and what I wrote at T294311#7483920. Given some of the discussions around Wikimedia Gitlab runner strategies at T295481, T292094 and T291978, I think the Security-Team's most immediate concerns are that our current ci template strategy is still sound and shouldn't run into issues around apt, npm, etc. package installation on top of base docker-registry.w.o images and any potential performance concerns. Thanks.

thcipriani closed this task as Invalid.Nov 16 2021, 12:22 AM

Sorry for the re-open on the task, just wanted to be sure I'd have a reminder to comment here. We can move the discussion over to T294311.

sbassett added a project: GitLab-Application-Security-Pipeline.Jul 13 2023, 7:35 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL