Use task-runner container for migrations job
Summary
The migrations jobs currently uses the gitlab-rails
container for running migrations. The problem here is that the gitlab-rails container is used as a base container for others like task-runner
,unicorn
,sidekiq
, and as a result can't have certain docker defaults like USER
set.
For the helm charts, we are explicitly overriding the securityContext, so this isn't an issue for the chart, but it's does make the image different that the rest of our final images, and provides concern for users who run security scans on the used images.
I propose we just switch any jobs using the gitlab-rails
image to use the task-runner
image. The task-runner
image already has USER
set, is setup to work with the same rails config, and doesn't run any services by default.
This was noticed during our submission of UBI8 hardened containers to the dcssr security scanning, and is part of our work here: gitlab-org/distribution&4 (closed)