continuist
9fafe288c7
Some checks are pending
CI/CD Pipeline with Secure Ephemeral PiP / test-backend (push) Waiting to run
CI/CD Pipeline with Secure Ephemeral PiP / test-frontend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-backend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-frontend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / cleanup (push) Blocked by required conditions
82 lines
No EOL
2.9 KiB
Bash
82 lines
No EOL
2.9 KiB
Bash
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
# secure_pip_setup.sh - Secure PiP client container setup
|
|
# Creates ephemeral PiP container that connects to host Podman via UNIX socket
|
|
|
|
# Configuration
|
|
RUN_ID="${GITHUB_RUN_ID:-local}"
|
|
PIP_CONTAINER_NAME="ci-pip-${RUN_ID}"
|
|
SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
|
|
SOCKET_PATH="${SOCKET_DIR}/podman.sock"
|
|
PODMAN_IMAGE="quay.io/podman/stable@sha256:abc123def4567890abcdef1234567890abcdef1234567890abcdef1234567890"
|
|
WORKSPACE="${GITHUB_WORKSPACE:-$PWD}"
|
|
|
|
# Clean up any existing container and socket for this run
|
|
echo "🧹 Cleaning up any existing PiP container and socket for run ${RUN_ID}..."
|
|
podman rm -f "${PIP_CONTAINER_NAME}" 2>/dev/null || true
|
|
|
|
# Kill any host service bound to this specific socket path
|
|
if pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_PATH}" >/dev/null; then
|
|
echo "🛑 Stopping existing host service for this socket..."
|
|
pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_PATH}" | awk '{print $1}' | xargs -r kill || true
|
|
fi
|
|
|
|
# Remove existing socket directory
|
|
rm -rf "${SOCKET_DIR}" 2>/dev/null || true
|
|
|
|
# Create secure per-run socket directory
|
|
echo "📁 Creating per-run socket directory..."
|
|
mkdir -p "${SOCKET_DIR}"
|
|
chmod 700 "${SOCKET_DIR}"
|
|
|
|
# Start host Podman service on UNIX socket (background)
|
|
echo "🔧 Starting host Podman service on UNIX socket..."
|
|
podman system service --time=0 "unix://${SOCKET_PATH}" &
|
|
HOST_PODMAN_PID=$!
|
|
sleep 2
|
|
|
|
# Verify socket was created
|
|
if [[ ! -S "${SOCKET_PATH}" ]]; then
|
|
echo "❌ ERROR: Podman socket not created at ${SOCKET_PATH}"
|
|
kill ${HOST_PODMAN_PID} 2>/dev/null || true
|
|
exit 1
|
|
fi
|
|
|
|
# Set secure permissions on socket
|
|
echo "🔒 Setting secure socket permissions..."
|
|
chmod 660 "${SOCKET_PATH}"
|
|
|
|
# Create ephemeral PiP container as client only (no inner daemon)
|
|
echo "🐳 Creating secure PiP client container with workspace mount..."
|
|
podman run -d \
|
|
--name "${PIP_CONTAINER_NAME}" \
|
|
--security-opt=no-new-privileges \
|
|
--cap-drop=ALL \
|
|
--read-only \
|
|
--network=none \
|
|
--tmpfs /run:rw,size=64M \
|
|
--tmpfs /tmp:rw,size=256M \
|
|
-v "${SOCKET_PATH}:/var/run/podman.sock" \
|
|
-v "${WORKSPACE}:/workspace:rw" \
|
|
-e CONTAINER_HOST="unix:///var/run/podman.sock" \
|
|
"${PODMAN_IMAGE}" \
|
|
sleep infinity
|
|
|
|
# Wait for container to start
|
|
echo "⏳ Waiting for PiP container to start..."
|
|
sleep 3
|
|
|
|
# Verify container is running
|
|
if ! podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running; then
|
|
echo "❌ ERROR: PiP container failed to start"
|
|
podman logs "${PIP_CONTAINER_NAME}" || true
|
|
kill ${HOST_PODMAN_PID} 2>/dev/null || true
|
|
exit 1
|
|
fi
|
|
|
|
echo "🎉 Secure PiP client container setup complete!"
|
|
echo " Container: ${PIP_CONTAINER_NAME}"
|
|
echo " Socket: ${SOCKET_PATH}"
|
|
echo " Workspace: ${WORKSPACE} → /workspace"
|
|
echo " Security: No network, no capabilities, read-only rootfs, client-only" |