Jacamar CI v0.8.0

  • Release: v0.8.0

  • Date: 07/28/2021

Important

With this release we no longer require the usage of a patched runner. Instead you will need to use the official release, version 14.1+ for Jacamar CI to function correctly. Updating Jacamar CI will necessitate an update of the runner in conjunction to continue support.

Admin Changes

  • Function with official runner release (14.1+) via the JOB_RESPONSE_FILE providing fully payload details (!211).

    • With the acceptance of MR 2912 we will no longer require or maintain any patches to runner in order to use Jacamar CI as a custom executor.

  • Added configurable allowlist for CI pipeline sources, only valid with server versions 14.0+ (!208).

    • [auth]
pipeline_source_allowlist = ["push", "web"]

    • Possible values: push, web, schedule, api, external, chat, webide, merge_request_event, external_pull_request_event, parent_pipeline, trigger, or pipeline. This list will change over as upstream GitLab server is modified.

  • Optional RunAs environment configuration supplied to validation script (!209).

    • [auth.runas]
validation_env = ["HELLO=WORLD"]

  • Configurable job messaging during prepare_exec stage (!216).

  • [general]
job_message = """
****************************************************************************
                      NOTICE TO USERS

This is an example message ....
****************************************************************************
"""

  • Align several logging keys in Jacamar CI with those found in the runner (!218).

    • From now on job (previously jobID), runner (previously runner-short), and stage (previously ci-stage) will match terminology used in the runner’s system logging.

  • Check for capabilities and permissions on the jacamar-auth binary that would be present issues if found in test environments (!229).

    • These changes requires that if capabilities are found that the binary is protected with 700 permissions and no inheritable set are defined.

    • With errors unobfuscated:

      Running with gitlab-runner 14.1.0 (8925d9a0)
on Jacamar CI Cap Testing MHtBUsfB
Preparing the "custom" executor 00:09
Error encountered during job: binary capabilities detected, ensure all group/world file permissions removed from Jacamar-Auth
WARNING: Cleanup script failed: exit status 2
ERROR: Preparation failed: exit status 2

  • Error printed if jacamar-auth launched using invalid runner version (!225).

    • /opt/jacamar/bin is now 755 and we rely on administrators to manage both ownership/permissions if required for the standard RPM deployment.

  • Allow setgid bits found in directory permissions (!223).

    • In previous deployments jacamar would fail in the base directory found was drwx-S----.

  • Relaxed RPM permissions and new runner capabilities RPM for requesting deployments (!221).

  • Minimally re-packaged GitLab-Runner RPM with single binary (!234).

User Changes

  • Added prepare message to self-document key elements of the configuration that an affect CI jobs (!226).

Bug & Development Fixes

  • Added context to clean_exec errors to hint at likely cause of issues (!217).

  • Added mutex locking in appropriate command packages (!210).

  • New error logging messages added and removed config file debug (!220).

  • Validation used in JWT results (after signature/checksum) now uses number as opposed to numeric (!212).

  • Further simplified Authorized interface for the authuser package (!199).

  • Update to Go version 1.16.6 (!227).

  • Improve RPM release process for 14.1+ runners (!221).