gitlab容器扫描器无法安装aws-cli
gitlab container scanner can't install aws-cli
在 gitlab CI 文档 (https://docs.gitlab.com/ee/user/application_security/container_scanning/) 中,它指出您可以使用以下方法扫描 ECR:
container_scanning:
before_script:
- ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
- unzip awscliv2.zip
- ./aws/install
- aws --version
- export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region region)
include:
- template: Security/Container-Scanning.gitlab-ci.yml
DOCKER_IMAGE: <aws_account_id>.dkr.ecr.<region>.amazonaws.com/<image>:<tag>
DOCKER_USER: AWS
DOCKER_PASSWORD: "$AWS_ECR_PASSWORD"
当我添加“before_script”时,我得到以下信息:
inflating: aws/dist/cryptography-3.3.2-py3.9.egg-info/LICENSE
inflating: aws/dist/cryptography-3.3.2-py3.9.egg-info/WHEEL
creating: aws/dist/cryptography/hazmat/
creating: aws/dist/cryptography/hazmat/bindings/
inflating: aws/dist/cryptography/hazmat/bindings/_openssl.abi3.so
$ ./aws/install
mkdir: cannot create directory ‘/usr/local/aws-cli’: Permission denied
Uploading artifacts for failed job
00:00
Uploading artifacts...
WARNING: gl-container-scanning-report.json: no matching files
似乎没有权限。还有另一种方法可以让它工作吗?谢谢!
container_scanning 作业(默认)uses the docker imageregistry.gitlab.com/security-products/container-scanning:4
您还可以看到此图像将其用户指定为 gitlab,这对我来说意味着图像中的用户与您传统上使用的大多数图像不同,默认情况下没有 root 权限。
因此,该用户将无权写入 /usr/local/
您可以使用 sudo
来解决这个问题
- sudo ./aws/install
(或者如您所述,您可以通过使用安装程序的 -i 和 -b 标志将安装定向到不需要提升写入权限的另一个位置)。
在 gitlab CI 文档 (https://docs.gitlab.com/ee/user/application_security/container_scanning/) 中,它指出您可以使用以下方法扫描 ECR:
container_scanning:
before_script:
- ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
- unzip awscliv2.zip
- ./aws/install
- aws --version
- export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region region)
include:
- template: Security/Container-Scanning.gitlab-ci.yml
DOCKER_IMAGE: <aws_account_id>.dkr.ecr.<region>.amazonaws.com/<image>:<tag>
DOCKER_USER: AWS
DOCKER_PASSWORD: "$AWS_ECR_PASSWORD"
当我添加“before_script”时,我得到以下信息:
inflating: aws/dist/cryptography-3.3.2-py3.9.egg-info/LICENSE
inflating: aws/dist/cryptography-3.3.2-py3.9.egg-info/WHEEL
creating: aws/dist/cryptography/hazmat/
creating: aws/dist/cryptography/hazmat/bindings/
inflating: aws/dist/cryptography/hazmat/bindings/_openssl.abi3.so
$ ./aws/install
mkdir: cannot create directory ‘/usr/local/aws-cli’: Permission denied
Uploading artifacts for failed job
00:00
Uploading artifacts...
WARNING: gl-container-scanning-report.json: no matching files
似乎没有权限。还有另一种方法可以让它工作吗?谢谢!
container_scanning 作业(默认)uses the docker imageregistry.gitlab.com/security-products/container-scanning:4
您还可以看到此图像将其用户指定为 gitlab,这对我来说意味着图像中的用户与您传统上使用的大多数图像不同,默认情况下没有 root 权限。
因此,该用户将无权写入 /usr/local/
您可以使用 sudo
- sudo ./aws/install
(或者如您所述,您可以通过使用安装程序的 -i 和 -b 标志将安装定向到不需要提升写入权限的另一个位置)。