Add Docker login to Jenkins script to avoid rate limit issue #6368
Conversation
|
/test-e2e |
1 similar comment
|
/test-e2e |
ci/jenkins/test.sh
Outdated
| @@ -984,6 +994,7 @@ if [[ $TESTCASE =~ "multicast" ]]; then | |||
| fi | |||
|
|
|||
| source $WORKSPACE/ci/jenkins/utils.sh | |||
| docker_login "${dockerUser}" "${dockerPassword}" | |||
There was a problem hiding this comment.
Not sure if there is such convention: should it disable xtrace first before using the secret, otherwise it would be printed to terminal by enabling xtrace in other place in this script and it won't be easy to notice.
The following code should ensure it won't be printed:
(
set +x
docker_login "${dockerUser}" "${dockerPassword}"
)@antoninbas do you know how is this usually handled?
There was a problem hiding this comment.
The secret is stored in Jenkins credentials and will not be exposed in the results. However, we should indeed avoid printing too much information about the login step, will update the code.
There was a problem hiding this comment.
Personally I think like this should not even be in the script if possible.
Isn't there a way to configure Jenkins so that we login to Docker before even calling this script?
There was a problem hiding this comment.
@antoninbas Do you mean to put this login script into Jenkins macros to avoid modifying the test.sh related scripts? Using this method, we would need to modify the macros definition for all related jobs. In the Nephe CI pipeline, we have verified a similar method to log into Docker as we did in this PR. https://github.com/antrea-io/nephe/blob/9faeba2c189821045e4ea6d37a1c97dbdecf67bd/ci/jenkins/nephe-ci.sh#L112
And I haven't found another way to log into Docker before running script in a freestyle job. It is possible to configure Docker login through a Jenkins pipeline job, but pipeline jobs are not compatible with the freestyle Jenkins setup we are currently using.
There was a problem hiding this comment.
Personally I think like this should not even be in the script if possible. Isn't there a way to configure Jenkins so that we login to Docker before even calling this script?
Yes, Handling Docker login credentials within a script can be a security risk. It's generally better to manage authentication outside of the script . isn't the docker credentials be stored in jenkins credentials and used to access it using credentials in job itself, In that case it has be configured in each and every job then !
There was a problem hiding this comment.
Personally I think like this should not even be in the script if possible. Isn't there a way to configure Jenkins so that we login to Docker before even calling this script?
Yes, Handling Docker login credentials within a script can be a security risk. It's generally better to manage authentication outside of the script . isn't the docker credentials be stored in jenkins credentials and used to access it using credentials in job itself, In that case it has be configured in each and every job then !
When using the Jenkins Credential secrets, you can securely inject sensitive credentials into the build process as environment variables. These variables are visible during use, but Jenkins automatically masks their values to prevent them from being displayed in the build logs.
After consideration, I placed the login script in the macro YAML, which ensures that the login step cannot be changed by any PR.
|
/test-all |
|
/test-all |
|
/test-conformance |
ci/jenkins/jobs/macros.yaml
Outdated
| @@ -103,7 +103,7 @@ | |||
| #!/bin/bash | |||
| set -ex | |||
| DOCKER_REGISTRY="$(head -n1 ci/docker-registry)" | |||
| ./ci/jenkins/test-vmc.sh --cluster-name "$BUILD_TAG" --testcase e2e --coverage --codecov-token "${CODECOV_TOKEN}" --registry ${DOCKER_REGISTRY} --username "${CAPVC_USERNAME}" --password "${CAPVC_PASSWORD}" | |||
| ./ci/jenkins/test-vmc.sh --cluster-name "$BUILD_TAG" --testcase e2e --coverage --codecov-token "${CODECOV_TOKEN}" --registry ${DOCKER_REGISTRY} --username "${CAPVC_USERNAME}" --password "${CAPVC_PASSWORD}" --dockerUser "${{DOCKER_USERNAME}}" --dockerPassword "${{DOCKER_PASSWORD}}" | |||
There was a problem hiding this comment.
Probably better to follow the same name pattern as others, e.g. '--docker-user' --docker-password
XinShuYang
force-pushed
the
dockerlogin
branch
5 times, most recently
from
cc79745 to
cbad3f4
Compare
|
/test-all |
|
/test-conformance |
ci/jenkins/jobs/macros.yaml
Outdated
| ./ci/jenkins/docker_login.sh --docker-user "${{DOCKER_USERNAME}}" --docker-password "${{DOCKER_PASSWORD}}" | ||
| DOCKER_REGISTRY="$(head -n1 ci/docker-registry)" |
There was a problem hiding this comment.
it's a little bit strange that we call docker_login.sh unconditionally, and then we run DOCKER_REGISTRY. In theory, if we have DOCKER_REGISTRY="$(head -n1 ci/docker-registry)", that means that DOCKER_REGISTRY is not guaranteed to be docker.io, but docker_login.sh assumes that the registry is docker.io.
Maybe these 2 instructions should be swapped, and docker_login.sh should return immediately if DOCKER_REGISTRY is not docker.io? Or some other solution that makes docker login conditional.
There was a problem hiding this comment.
Yes it make sense, I add a registry flag for the login script.
XinShuYang
force-pushed
the
dockerlogin
branch
2 times, most recently
from
429f614 to
98e81de
Compare
|
/test-all |
|
/test-all |
ci/jenkins/docker_login.sh
Outdated
| echo "Logging into Docker Hub..." | ||
| docker_login "${DOCKER_USERNAME}" "${DOCKER_PASSWORD}" | ||
| else | ||
| echo "Registry $DOCKER_REGISTRY is not supported for login by this script." |
There was a problem hiding this comment.
it feels to me that we should just avoid calling the script in this case.
If we use the following, it won't really be more verbose than what we have currently:
[ "$DOCKER_REGISTRY" == "docker.io" ] || ./ci/jenkins/docker_login.sh --docker-user ${{DOCKER_USERNAME}} --docker-password ${{DOCKER_PASSWORD}}
There was a problem hiding this comment.
it feels to me that we should just avoid calling the script in this case. If we use the following, it won't really be more verbose than what we have currently:
[ "$DOCKER_REGISTRY" == "docker.io" ] || ./ci/jenkins/docker_login.sh --docker-user ${{DOCKER_USERNAME}} --docker-password ${{DOCKER_PASSWORD}}
Got the point, updated the macro script, PTAL.
There was a problem hiding this comment.
@antoninbas I think it should be
[ "$DOCKER_REGISTRY" != "docker.io" ] || ./ci/jenkins/docker_login.sh --docker-user ${{DOCKER_USERNAME}} --docker-password ${{DOCKER_PASSWORD}} right?
The docker_login.sh should only be executed when $DOCKER_REGISTRY is docker.io
ci/jenkins/docker_login.sh
Outdated
| echo "Docker login failed. Retrying" | ||
| fi | ||
| done | ||
| set -ex |
There was a problem hiding this comment.
shouldn't it exit with non-zero code if it never succeeds?
There was a problem hiding this comment.
Yes, updated the script.
There was a problem hiding this comment.
I think this will never be called?
|
/test-all |
|
/test-all |
ci/jenkins/docker_login.sh
Outdated
| echo "Docker login failed. Retrying" | ||
| fi | ||
| done | ||
| set -ex |
There was a problem hiding this comment.
I think this will never be called?
| esac | ||
| done | ||
|
|
||
| function docker_login() { |
There was a problem hiding this comment.
My bad, corrected it.
|
/test-all |
Enhance Jenkins pipeline by integrating Docker credentials for login to avoid rate limit issues Signed-off-by: Shuyang Xin <[email protected]>
|
/test-all |
Signed-off-by: Antonin Bas <[email protected]>
|
/test-all |
…io#6368) * Add Docker login to Jenkins script to avoid rate limit issue Enhance Jenkins pipeline by integrating Docker credentials for login to avoid rate limit issues Signed-off-by: Shuyang Xin <[email protected]> * Fix some issues in docker_login.sh Signed-off-by: Antonin Bas <[email protected]> --------- Signed-off-by: Shuyang Xin <[email protected]> Signed-off-by: Antonin Bas <[email protected]> Co-authored-by: Antonin Bas <[email protected]>
…io#6368) * Add Docker login to Jenkins script to avoid rate limit issue Enhance Jenkins pipeline by integrating Docker credentials for login to avoid rate limit issues Signed-off-by: Shuyang Xin <[email protected]> * Fix some issues in docker_login.sh Signed-off-by: Antonin Bas <[email protected]> --------- Signed-off-by: Shuyang Xin <[email protected]> Signed-off-by: Antonin Bas <[email protected]> Co-authored-by: Antonin Bas <[email protected]>
…6439) * Add Docker login to Jenkins script to avoid rate limit issue Enhance Jenkins pipeline by integrating Docker credentials for login to avoid rate limit issues * Fix some issues in docker_login.sh Signed-off-by: Shuyang Xin <[email protected]> Signed-off-by: Antonin Bas <[email protected]>
…6440) * Add Docker login to Jenkins script to avoid rate limit issue Enhance Jenkins pipeline by integrating Docker credentials for login to avoid rate limit issues * Fix some issues in docker_login.sh Signed-off-by: Shuyang Xin <[email protected]> Signed-off-by: Antonin Bas <[email protected]>
Enhance Jenkins pipeline by integrating Docker credentials for login to avoid rate limit issues