Re: [PATCH v2 4/8] run-coverity-scan: use docker.py

Thu, 21 May 2020 05:56:20 -0700 

On Thu, 21 May 2020 at 13:45, Paolo Bonzini <pbonz...@redhat.com> wrote:
>
> Our trusted docker wrapper allows run-coverity-scan to run with both
> docker and podman.
>
> For the "run" phase this is transparent; for the "build" phase however
> scripts are replaced with a bind mount (-v).  This is not an issue
> because the secret option is meant for secrets stored globally in the
> system and bind mounts are a valid substitute for secrets that are known
> to whoever builds the container.
>
> Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
> ---
>  scripts/coverity-scan/coverity-scan.docker |  2 +-
>  scripts/coverity-scan/run-coverity-scan    | 32 ++++++++++++++--------
>  2 files changed, 22 insertions(+), 12 deletions(-)

> @@ -300,12 +312,10 @@ if [ "$DOCKER" = yes ]; then
>      # TODO: This re-downloads the tools every time, rather than
>      # caching and reusing the image produced with the downloaded tools.
>      # Not sure why.
> -    # TODO: how do you get 'docker build' to print the output of the
> -    # commands it is running to its stdout? This would be useful for debug.
> -    DOCKER_BUILDKIT=1 docker build -t coverity-scanner \
> -                   --secret id=coverity.token,src="$SECRET" \
> -                   -f scripts/coverity-scan/coverity-scan.docker \
> -                   scripts/coverity-scan
> +    tests/docker/docker.py --engine ${DOCKER_ENGINE} build \
> +                   -t coverity-scanner -f 
> scripts/coverity-scan/coverity-scan.docker \
> +                   -v "$SECRETDIR:/work" \
> +                   --extra-files scripts/coverity-scan/run-coverity-scan

Generally this script uses a "./" prefix for invoking scripts
that are within the current directory...

>      echo "Archiving sources to be analyzed..."
>      ./scripts/archive-source.sh "$SECRETDIR/qemu-sources.tgz"

...as for instance here. It would be nice to follow that convention.

>      if [ "$DRYRUN" = yes ]; then
> @@ -323,7 +333,7 @@ if [ "$DOCKER" = yes ]; then
>      # Arrange for this docker run to get access to the sources with -v.
>      # We pass through all the configuration from the outer script to the 
> inner.
>      export COVERITY_EMAIL COVERITY_BUILD_CMD
> -    docker run -it --env COVERITY_EMAIL --env COVERITY_BUILD_CMD \
> +    tests/docker/docker.py run -it --env COVERITY_EMAIL --env 
> COVERITY_BUILD_CMD \
>             -v "$SECRETDIR:/work" coverity-scanner \
>             ./run-coverity-scan --version "$VERSION" \
>             --description "$DESCRIPTION" $DRYRUNARG --tokenfile /work/token \

Ditto.

otherwise

Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>

thanks
-- PMM

Reply via email to