Oscar
November 25, 2024, 9:20am
1
I am currently working on a CI Pipeline to create and sign docker images; I uploaded the delegated key for signing to GitLab. During the pipeline, I use download secure file to retrieve the file. My problem now is that, as you can see below, the script reports that it has downloaded the key /var/certs/, but after using a ls on the directory, the file is not there.
Before, I had already tried to store the key inside a VARIABLE and use echo to write the content in the file, but there I lost the new lines, which docker trust doesn’t like. I also tried running on moving the repository to gitlab.com , because I wasn’t sure if the Server of my university is up to date, but the execution still fails.
Below, you will see the deployment stage of the pipeline.
deploy:
stage: deploy
image: docker:latest
services:
- docker:latest
variables:
SECURE_FILES_DOWNLOAD_PATH: '/var/certs'
only:
- master
script:
- apk update
- apk add curl
- apk add bash
- curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
- ls -la /var/certs/
- ls -la .secure_files/
- echo $SIGNING_KEY_PASSWORD | docker trust key load /var/certs/10505ee4d3913ea70a8d69e19df1a59dc5af99920f9ba4a1b11714b383da4a00.key --name gitlab
# 'docker info' command is used to debug the job.
- docker info
My command to start the gitlab runner is the followin.
sudo gitlab-runner register -n --url "https://gitlab.com/" --registration-token TOKEN --executor docker --description "My Docker Runner" --docker-image "docker:24.0.5" --docker-privileged
From the provided information and screenshot, the issue seems to revolve around the expected behavior of the download-secure-files
script, which claims to have downloaded the key file but doesn’t actually make it available in the specified directory.
Here’s how we can approach resolving this:
1. Confirm Successful Secure File Download
Ensure that the curl
command successfully downloads the download-secure-files
installer.
Add debugging steps to verify the existence of the installer
script:
script:
- curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" -o installer
- cat installer
- bash installer
- ls -la /var/certs/
If the installer
is empty or invalid, this points to a download issue.
2. Debug SECURE_FILES_DOWNLOAD_PATH
The SECURE_FILES_DOWNLOAD_PATH
variable specifies where secure files are downloaded. Ensure the script respects this variable by adding debug logs:
script:
- echo "SECURE_FILES_DOWNLOAD_PATH: $SECURE_FILES_DOWNLOAD_PATH"
- ls -la $SECURE_FILES_DOWNLOAD_PATH
If /var/certs
is empty, the issue might be:
Permissions: Ensure the GitLab Runner has permissions to write to /var/certs
.
Incorrect variable usage in the installer script.
3. Validate File Downloaded Path
The script may not store files in /var/certs
. Secure files might instead be placed under the .secure_files
directory.
Check both directories (/var/certs
and .secure_files
) for the key file:
script:
- ls -la /var/certs/
- ls -la .secure_files/
4. Explicitly Set and Verify Permissions
Since /var/certs
might have restrictive permissions, set them explicitly:
script:
- mkdir -p /var/certs
- chmod 777 /var/certs
- curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
- ls -la /var/certs/
5. Alternative Secure File Retrieval
If the download-secure-files
script isn’t working as expected, consider manually echoing the key’s content into a file while preserving new lines:
script:
- mkdir -p /var/certs
- echo "$SIGNING_KEY" | base64 -d > /var/certs/signing.key
- chmod 600 /var/certs/signing.key
For the above:
Store the Base64-encoded signing key in a CI variable (SIGNING_KEY
).
Decode and save it during the pipeline execution.
This avoids relying on the download-secure-files
script.
6. Debug Docker Runner Privileges
Your runner configuration uses the --docker-privileged
flag, but ensure the runner has permissions to write to /var
and interact with Docker securely.
Add debug commands to confirm runner capabilities:
script:
- whoami
- ls -ld /var
- docker info
7. Use an Alternative Directory
If /var/certs
isn’t writable or causes issues, you can set a different secure file path:
variables:
SECURE_FILES_DOWNLOAD_PATH: '.secure_files'
Then adjust your script to reference .secure_files
:
script:
- ls -la .secure_files/
- echo $SIGNING_KEY_PASSWORD | docker trust key load .secure_files/10505ee4d3913ea70a8d69e19df1a59dc5af99920f9ba4a1b11714b383da4a00.key --name gitlab
Next Steps
Implement the debugging steps to locate where the downloaded file resides or if it’s downloaded at all.
If the issue persists, consider replacing the download-secure-files
script with a manual approach for secure key handling.
Let me know the results of these steps, and we can further refine the solution!