文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >在gitlab ci中存储docker镜像的位置是什么?

在gitlab ci中存储docker镜像的位置是什么?
EN

Stack Overflow用户
提问于 2021-10-21 04:41:43
回答 2查看 142关注 0票数 0

我已经成功地构建了一个docker镜像,并将其标记为testdock:latest ($CI_REGISTRY_IMAGE:latest),$CI_REGISTRY变量保存在GitLab项目变量中。

我还有另一个阶段,开始使用Trivy扫描testdock图像:这个过程停滞不前,没有任何进展。我猜是找不到图像,或者GitLab中的docker环境有问题。

代码语言:javascript
复制
   Where is the `docker image (testdock)` stored?

这是我用来让Trivy扫描testdock镜像的命令:

代码语言:javascript
复制
$ TRIVY_INSECURE=true trivy --skip-update --output "$CI_PROJECT_DIR/scanning-report.json"  $CI_REGISTRY_IMAGE:latest

yml:

代码语言:javascript
复制
build:
  stage: build
  image: $CI_REGISTRY/devops/docker:latest
  services:
    - $CI_REGISTRY/devops/docker:dind-nx1.0
  #tags:
  #  - docker
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
    # Tell docker CLI how to talk to Docker daemon.
    DOCKER_HOST: tcp://localhost:2375/
    # Use the overlayfs driver for improved performance.
    DOCKER_DRIVER: overlay2
    # Disable TLS since we're running inside local network.
    DOCKER_TLS_CERTDIR: ""
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  script:
    - docker build -t $FULL_IMAGE_NAME  .
   # - docker push $CI_REGISTRY_IMAGE:latest

security_scan:
  stage: test
  image: 
    name: $CI_REGISTRY/devops/trivy/trivy:0.20.1
    entrypoint: [""]
  services:
    - $CI_REGISTRY/devops/docker:dind-nx1.0
  #tags:
   # - docker
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
  #  GIT_STRATEGY: none
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
    # Tell docker CLI how to talk to Docker daemon.
    DOCKER_HOST: tcp://localhost:2375/
    # Use the overlayfs driver for improved performance.
    DOCKER_DRIVER: overlay2
    # Disable TLS since we're running inside local network.
    DOCKER_TLS_CERTDIR: ""
  before_script:
    - git config --global http.sslVerify false
    - git clone $CI_REPOSITORY_URL
    - echo "the project directory is - $CI_PROJECT_DIR"
    - echo "the CI_REGISTRY_IMAGE variable is - $CI_REGISTRY_IMAGE"
    - echo "the full image name is - $FULL_IMAGE_NAME"
    - ls -la
    - trivy -h | grep cache
    - mkdir -p /root/.cache/trivy/db
    - ls -la
    - cp "eval-trivy-2/trivy-offline.db.tgz" "/root/.cache/trivy/db"
    - cd /root/.cache/trivy/db
    - tar xvf trivy-offline.db.tgz
    - ls -la
  script:
    - trivy --version
    - time trivy image --clear-cache
    # running 1 hr and stopped.
    #- TRIVY_INSECURE=true trivy --skip-update $CI_REGISTRY_IMAGE:latest
    #- TRIVY_INSECURE=true trivy --skip-update -f json -o scanning-report.json $CI_REGISTRY/devops/aquasec/trivy:0.16.0
    - TRIVY_INSECURE=true trivy --skip-update -o "$CI_PROJECT_DIR/scanning-report.json" $FULL_IMAGE_NAME
    #keep loading by using testdock:latest
    #- TRIVY_INSECURE=true trivy --skip-update -o "$CI_PROJECT_DIR/scanning-report.json"  testdock:latest
   # - TRIVY_INSECURE=true trivy --skip-update --exit-code 1 --severity CRITICAL $CI_REGISTRY/devops/aquasec/trivy:0.16.0
  artifacts:
    when:                          always
    reports:
      container_scanning:          scanning-report.json
docker
gitlab-ci
trivy
EN

回答 2

Stack Overflow用户

发布于 2021-10-21 06:07:50

所有作业都是独立运行的。因此,只要您不专门告诉作业使用artifacts指令将其传递到下一个作业,jobA通常就不知道jobB生成了什么。

在你的例子中,你是在你的工作中建立你的形象,但如果你不推动它-它将就像任何丢弃的数据一样,在下一阶段丢失。最简单的方法是将其推送到docker注册表,并从那里使用它。例如:一种常见的做法是用提交SHA而不是最新的来标记它。这样你就可以确保你总是找到正确的图像。

票数 1
EN

Stack Overflow用户

发布于 2021-10-21 08:50:14

最后的gitlan-ci.yml现在运行得很好:

代码语言:javascript
复制
variables:
  # Tell docker CLI how to talk to Docker daemon.
  DOCKER_HOST: tcp://localhost:2375/
  # Use the overlayfs driver for improved performance.
  DOCKER_DRIVER: overlay2
  # Disable TLS since we're running inside local network.
  DOCKER_TLS_CERTDIR: ""


services:
  - $CI_REGISTRY/devops/docker:dind-nx1.0

stages:
  - build
  - test

#include:
  # Trivy integration with GitLab Container Scanning
 # - remote: "https://github.com/aquasecurity/trivy/raw/master/contrib/Trivy.gitlab-ci.yml"

build:
  image: $CI_REGISTRY/devops/docker:latest
  stage: build
  variables:
    IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  script:
    - docker info
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - docker build -t $IMAGE .
    - docker tag $IMAGE $CI_REGISTRY/$IMAGE
    - docker push $CI_REGISTRY/$IMAGE 

Trivy_container_scanning:
  stage: test
  image:
    name: $CI_REGISTRY/devops/trivy/trivy:0.20.1
  variables:
    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
    # for details
    GIT_STRATEGY: none
    IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
  allow_failure: true
  before_script:
    - trivy image --reset
    - git config --global http.sslVerify false
    - git clone $CI_REPOSITORY_URL
    - echo "the project directory is - $CI_PROJECT_DIR"
    - echo "the registry image is - $CI_REGISTRY_IMAGE"
    - ls -la
    - trivy -h | grep cache
    - mkdir -p /root/.cache/trivy/db
    - ls -la
    - cp "eval-trivy-4/trivy-offline.db.tgz" "/root/.cache/trivy/db"
    - cd /root/.cache/trivy/db
    - tar xvf trivy-offline.db.tgz
    - ls -la
    #- export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
    #- apk add --no-cache curl docker-cli
    #- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    #- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
    #- curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl
  script:
    - TRIVY_INSECURE=true trivy image --skip-update -f json -o "$CI_PROJECT_DIR/gl-container-scanning-report.json" $CI_REGISTRY/$IMAGE
  #unable to write results: failed to initialize template writer: error retrieving template from path: open /tmp/trivy-gitlab.tpl: no such file or directory
   # - TRIVY_INSECURE=true trivy image --skip-update --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $CI_REGISTRY/$IMAGE
    #scan error
    #- trivy --skip-update --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $CI_REGISTRY/$IMAGE
    #- trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
 # cache:
  #  paths:
 #     - .trivycache/
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json

针对我的环境进行参考和修改

代码语言:javascript
复制
https://gitlab.com/aquasecurity/trivy-ci-test/-/blob/master/.gitlab-ci.yml
票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/69655985

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档