CI/CD #19

Open
opened 2023-10-01 07:20:20 -04:00 by scott · 0 comments
Owner

Take a look at Woodpecker or Drone CI hosting.

Both require allowing access to the docker socket for the express purpose of spinning up arbitrary containers to test code in. This is an understandable dependency, but it means that we need to take great caution when setting up the infrastructure to ensure that

  • the system itself lies within an isolated virtual machine or VPS with its own instance of Docker running, isolated from the host system, and/or
  • we ensure that only trusted users (e.g., legal members of the cooperative) are allowed to run CI jobs.

Isolating the system in a VM may seem like an obvious choice, but that also comes with complications when it comes to network configuration and reverse-proxy configuration or DNS, etc.

Take a look at Woodpecker or Drone CI hosting. Both require allowing access to the docker socket for the express purpose of spinning up arbitrary containers to test code in. This is an understandable dependency, but it means that we need to take great caution when setting up the infrastructure to ensure that - the system itself lies within an isolated virtual machine or VPS with its own instance of Docker running, isolated from the host system, and/or - we ensure that only trusted users (e.g., legal members of the cooperative) are allowed to run CI jobs. Isolating the system in a VM may seem like an obvious choice, but that also comes with complications when it comes to network configuration and reverse-proxy configuration or DNS, etc.
scott added this to the Internal infrastructure project 2023-10-01 07:20:20 -04:00
Sign in to join this conversation.
No milestone
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TWS/meta#19
No description provided.