continuist
d09c5926f7
Some checks are pending
CI/CD Pipeline with Ephemeral PiP / test-backend (push) Waiting to run
CI/CD Pipeline with Ephemeral PiP / test-frontend (push) Blocked by required conditions
CI/CD Pipeline with Ephemeral PiP / build-backend (push) Blocked by required conditions
CI/CD Pipeline with Ephemeral PiP / build-frontend (push) Blocked by required conditions
CI/CD Pipeline with Ephemeral PiP / cleanup (push) Blocked by required conditions
82 lines
No EOL
2.6 KiB
Bash
82 lines
No EOL
2.6 KiB
Bash
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
# secure_pip_setup.sh - Idempotent setup for ephemeral Podman-in-Podman container
|
|
# This script creates a secure PiP container for CI operations with no network exposure
|
|
|
|
# Configuration
|
|
PIP_CONTAINER_NAME="ci-pip"
|
|
SOCKET_DIR="${XDG_RUNTIME_DIR}/podman-host"
|
|
SOCKET_PATH="${SOCKET_DIR}/podman.sock"
|
|
PODMAN_IMAGE="quay.io/podman/stable:latest"
|
|
|
|
# Clean up any existing container and socket
|
|
echo "🧹 Cleaning up any existing PiP container and socket..."
|
|
podman rm -f "${PIP_CONTAINER_NAME}" 2>/dev/null || true
|
|
rm -f "${SOCKET_PATH}"
|
|
rm -rf "${SOCKET_DIR}"
|
|
|
|
# Create secure socket directory
|
|
echo "📁 Creating secure socket directory..."
|
|
mkdir -p "${SOCKET_DIR}"
|
|
chmod 700 "${SOCKET_DIR}"
|
|
|
|
# Start host Podman service on UNIX socket (background)
|
|
echo "🔧 Starting host Podman service on UNIX socket..."
|
|
podman system service --time=0 "unix://${SOCKET_PATH}" &
|
|
HOST_PODMAN_PID=$!
|
|
sleep 2
|
|
|
|
# Verify socket was created
|
|
if [[ ! -S "${SOCKET_PATH}" ]]; then
|
|
echo "❌ ERROR: Podman socket not created at ${SOCKET_PATH}"
|
|
kill ${HOST_PODMAN_PID} 2>/dev/null || true
|
|
exit 1
|
|
fi
|
|
|
|
# Set secure permissions on socket
|
|
echo "🔒 Setting secure socket permissions..."
|
|
chmod 660 "${SOCKET_PATH}"
|
|
|
|
# Create ephemeral PiP container with maximum security
|
|
echo "🐳 Creating secure PiP container..."
|
|
podman run -d \
|
|
--name "${PIP_CONTAINER_NAME}" \
|
|
--security-opt=no-new-privileges \
|
|
--cap-drop=ALL \
|
|
--read-only \
|
|
--network=none \
|
|
--tmpfs /run:rw,size=64M \
|
|
--tmpfs /tmp:rw,size=256M \
|
|
-v "${SOCKET_PATH}:/var/run/podman.sock" \
|
|
"${PODMAN_IMAGE}" \
|
|
podman system service --time=0 unix:///var/run/podman.sock
|
|
|
|
# Wait for container to start
|
|
echo "⏳ Waiting for PiP container to start..."
|
|
sleep 5
|
|
|
|
# Verify container is running
|
|
if ! podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running; then
|
|
echo "❌ ERROR: PiP container failed to start"
|
|
podman logs "${PIP_CONTAINER_NAME}" || true
|
|
kill ${HOST_PODMAN_PID} 2>/dev/null || true
|
|
exit 1
|
|
fi
|
|
|
|
# Kill the background host service (PiP container now handles requests)
|
|
echo "🔄 Switching to PiP container for Podman operations..."
|
|
kill ${HOST_PODMAN_PID} 2>/dev/null || true
|
|
|
|
# Test PiP connectivity
|
|
echo "✅ Testing PiP connectivity..."
|
|
if ! podman exec "${PIP_CONTAINER_NAME}" podman version >/dev/null 2>&1; then
|
|
echo "❌ ERROR: PiP container not responding to Podman commands"
|
|
podman logs "${PIP_CONTAINER_NAME}" || true
|
|
exit 1
|
|
fi
|
|
|
|
echo "🎉 Secure PiP container setup complete!"
|
|
echo " Container: ${PIP_CONTAINER_NAME}"
|
|
echo " Socket: ${SOCKET_PATH}"
|
|
echo " Security: No network, no capabilities, read-only rootfs" |