[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 4/8] run-coverity-scan: use docker.py
|
From: |
Peter Maydell |
|
Subject: |
Re: [PATCH v2 4/8] run-coverity-scan: use docker.py |
|
Date: |
Thu, 21 May 2020 13:55:44 +0100 |
On Thu, 21 May 2020 at 13:45, Paolo Bonzini <address@hidden> wrote:
>
> Our trusted docker wrapper allows run-coverity-scan to run with both
> docker and podman.
>
> For the "run" phase this is transparent; for the "build" phase however
> scripts are replaced with a bind mount (-v). This is not an issue
> because the secret option is meant for secrets stored globally in the
> system and bind mounts are a valid substitute for secrets that are known
> to whoever builds the container.
>
> Signed-off-by: Paolo Bonzini <address@hidden>
> ---
> scripts/coverity-scan/coverity-scan.docker | 2 +-
> scripts/coverity-scan/run-coverity-scan | 32 ++++++++++++++--------
> 2 files changed, 22 insertions(+), 12 deletions(-)
> @@ -300,12 +312,10 @@ if [ "$DOCKER" = yes ]; then
> # TODO: This re-downloads the tools every time, rather than
> # caching and reusing the image produced with the downloaded tools.
> # Not sure why.
> - # TODO: how do you get 'docker build' to print the output of the
> - # commands it is running to its stdout? This would be useful for debug.
> - DOCKER_BUILDKIT=1 docker build -t coverity-scanner \
> - --secret id=coverity.token,src="$SECRET" \
> - -f scripts/coverity-scan/coverity-scan.docker \
> - scripts/coverity-scan
> + tests/docker/docker.py --engine ${DOCKER_ENGINE} build \
> + -t coverity-scanner -f
> scripts/coverity-scan/coverity-scan.docker \
> + -v "$SECRETDIR:/work" \
> + --extra-files scripts/coverity-scan/run-coverity-scan
Generally this script uses a "./" prefix for invoking scripts
that are within the current directory...
> echo "Archiving sources to be analyzed..."
> ./scripts/archive-source.sh "$SECRETDIR/qemu-sources.tgz"
...as for instance here. It would be nice to follow that convention.
> if [ "$DRYRUN" = yes ]; then
> @@ -323,7 +333,7 @@ if [ "$DOCKER" = yes ]; then
> # Arrange for this docker run to get access to the sources with -v.
> # We pass through all the configuration from the outer script to the
> inner.
> export COVERITY_EMAIL COVERITY_BUILD_CMD
> - docker run -it --env COVERITY_EMAIL --env COVERITY_BUILD_CMD \
> + tests/docker/docker.py run -it --env COVERITY_EMAIL --env
> COVERITY_BUILD_CMD \
> -v "$SECRETDIR:/work" coverity-scanner \
> ./run-coverity-scan --version "$VERSION" \
> --description "$DESCRIPTION" $DRYRUNARG --tokenfile /work/token \
Ditto.
otherwise
Reviewed-by: Peter Maydell <address@hidden>
thanks
-- PMM
- [PATCH v2 0/8] run-coverity-scan: misc improvements, especially for docker mode, Paolo Bonzini, 2020/05/21
- [PATCH v2 2/8] docker.py/build: support binary files in --extra-files, Paolo Bonzini, 2020/05/21
- [PATCH v2 4/8] run-coverity-scan: use docker.py, Paolo Bonzini, 2020/05/21
- Re: [PATCH v2 4/8] run-coverity-scan: use docker.py,
Peter Maydell <=
- [PATCH v2 1/8] docker.py/build: support -t and -f arguments, Paolo Bonzini, 2020/05/21
- [PATCH v2 7/8] run-coverity-scan: download tools outside the container, Paolo Bonzini, 2020/05/21
- [PATCH v2 3/8] run-coverity-scan: get Coverity token and email from special git config section, Paolo Bonzini, 2020/05/21
- [PATCH v2 8/8] run-coverity-scan: support --update-tools-only --docker, Paolo Bonzini, 2020/05/21
- [PATCH v2 6/8] run-coverity-scan: use --no-update-tools in docker run, Paolo Bonzini, 2020/05/21
- [PATCH v2 5/8] run-coverity-scan: add --no-update-tools option, Paolo Bonzini, 2020/05/21