Proposal: add the global configuration to force to pull Docker image on every step

suzuki-shunsuke · August 2, 2019, 6:44am

If the private Docker image is pulled once on a server,
builds run on the same server can use the private image without authentication.

github.com

drone/drone-runtime/blob/v1.0.7/engine/docker/docker.go#L122-L134


	if step.Docker.PullPolicy == engine.PullAlways ||
		(step.Docker.PullPolicy == engine.PullDefault && latest) {
		// TODO(bradrydzewski) implement the PullDefault strategy to pull
		// the image if the tag is :latest
		rc, perr := e.client.ImagePull(ctx, step.Docker.Image, pullopts)
		if perr == nil {
			io.Copy(ioutil.Discard, rc)
			rc.Close()
		}
		if perr != nil {
			return perr
		}
	}

But in terms of security, it may be dangerous.
So I propose to add the configuration to force to pull Docker image on every step, which means every step can’t use the local image on Drone agent.

For example, add the environment variable “DRONE_IMAGE_PULL_ALWAYS”.
By default the environment variable is “false” but if the environment is “true”, on every step “pull” setting is ignored and Docker image is pulled.

I want to know your opinions about it.

Thank you.

suzuki-shunsuke · August 4, 2019, 1:17pm

I have implemented this feature.
In the implementation, if the environment variable “DRONE_IMAGE_PULL_ALWAYS” is true
the pull setting of every step and service are overwritten to “always”.
It works well.

suzuki-shunsuke · August 4, 2019, 1:58pm

This problem occurs in other platform such as CircleCI and k8s, so I’m interested in how those platform are dealing with this problem.
It may be useful for Drone too.