Exploring my second favourite deployment strategy.
Container Registry Time #
Containers are awesome, but we don’t want to have to rebuild the images every time we want to run the server in a new place. We definitely want to keep that option, but placing the built images somewhere easily accessible will remove more deployment friction.
Note that this is another reason to move secrets from the build stage to the run stage. If there’s nothing private in the image, it can be hosted relatively publicly. Two caveats: First, this image does have test accounts in the baked-in database, which could be a problem if they can be accessed in production. Second, a publicly-hosted image can reveal what tools and what versions are in use, which is a problem when there are known vulnerabilities.
Since we’re hosting on GitLab, we’ll take advantage of their registry. Apparently using Kaniko is the preferred way to build images within their CI process (which uses a container itself).
First the Easy One #
Our SQL Server container should be simple to build up in GitLab land:
.gitlab-ci.yml
|
|
and about ten minutes after a commit is pushed:
...
INFO[0539] Pushing image to registry.gitlab.com/301days/mssql-dragspinexp:
INFO[0546] Pushed registry.gitlab.com/301days/mssql-dragspinexp@sha256:e7d0953eadaea376740ac8f3ca41a037b35d927b99187055bc282576f8b088e8
Cleaning up project directory and file based variables
Job succeeded
And now can we launch that image without building locally?
$ docker images -a
REPOSITORY TAG IMAGE ID CREATED SIZE
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
$ docker run -e 'ACCEPT_EULA=Y' -e SQLSERVR_SA_PASSWORD -p 1433:1433 --name sql \
--net drag-spin-exp --pull missing -d registry.gitlab.com/301days/mssql-dragspinexp:latest
Unable to find image 'registry.gitlab.com/301days/mssql-dragspinexp:latest' locally
latest: Pulling from 301days/mssql-dragspinexp
c64da07494d4: Already exists
c9150ca47089: Already exists
a9a711ab60d1: Already exists
95b78d1f5b3f: Pull complete
09a59c7485e8: Pull complete
0fcf48951133: Pull complete
9a46164a0a56: Pull complete
3f359d38f756: Pull complete
78a8ef677efc: Pull complete
0bfd7e662d87: Pull complete
Digest: sha256:e7d0953eadaea376740ac8f3ca41a037b35d927b99187055bc282576f8b088e8
Status: Downloaded newer image for registry.gitlab.com/301days/mssql-dragspinexp:latest
bf776851317a84fdcf472548df711986f198418374219f9806a66c962e87256d
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bf776851317a registry.gitlab.com/301days/mssql-dragspinexp:latest "./entrypoint.sh" 6 seconds ago Up 5 seconds 0.0.0.0:1433->1433/tcp, :::1433->1433/tcp sql
That’s a yes. On a relatively speedy internet connection, pulling the image down took less than 10 seconds, versus the 4+ minutes it was taking me to build it.
And Now the Game Server #
Is it just as easy to do the same with the game server? The exact same .gitlab-ci.yml
delivers results.
$ docker run -d -e SQLSERVR_SA_PASSWORD -e SQLSERVR_DB_NAME="minimal" --network drag-spin-exp \
-p 3000:3000 --name gameserver --pull missing registry.gitlab.com/libipljoe/drag-spin-exp
Unable to find image 'registry.gitlab.com/libipljoe/drag-spin-exp:latest' locally
latest: Pulling from libipljoe/drag-spin-exp
99bf4787315b: Pull complete
6d51b8f9e46c: Pull complete
5cf40386a915: Pull complete
4c6cc4af518e: Pull complete
51ed37816707: Pull complete
9df274d6e0bb: Pull complete
7ab61b60f838: Pull complete
Digest: sha256:bf3827fc8a921edd663302340c722747eab2cf47a529e7dabdc3629392d2c9ea
Status: Downloaded newer image for registry.gitlab.com/libipljoe/drag-spin-exp:latest
d1b5d219afa66373c0470f0b62067a98b7d428c5818639afcdb816bf5d3a980b
$ docker logs gameserver
06/01/2023 23:52:26: {SystemGo} Drag Spin Exp 2.0.99.19
> 06/01/2023 23:52:26: {SystemGo} Compiling scripts.
> 06/01/2023 23:52:26: {SystemGo} Compiled!
> 06/01/2023 23:52:26: {SystemGo} Added Facet: Agate
> 06/01/2023 23:52:26: {SystemGo} Added Land: Beginner's Game to Facet: Agate
> 06/01/2023 23:52:26: {SystemGo} Added Land: Underworld to Facet: Agate
> 06/01/2023 23:52:26: {SystemGo} Loaded Map: test01
> 06/01/2023 23:52:26: {SystemGo} Loaded Cell Info for test01...
> 06/01/2023 23:52:26: {SystemGo} Loaded Map: testunder
> 06/01/2023 23:52:26: {SystemGo} Loaded Cell Info for testunder...
> 06/01/2023 23:52:26: {SystemGo} Loaded SpawnZones (1)...
> 06/01/2023 23:52:26: {SystemGo} Clearing PC Location Data.
> 06/01/2023 23:52:26: {SystemGo} Loaded Spells (65) ...
> 06/01/2023 23:52:26: {SystemGo} Clearing NPC Location Data.
> 06/01/2023 23:52:26: {SystemGo} Creating NPC Catalog.
> 06/01/2023 23:52:26: {SystemGo} Loaded NPCs (2)...
> 06/01/2023 23:52:26: {SystemGo} Spawning NPCs.
> 06/01/2023 23:52:26: {SystemGo} Restocked 0 store records.
> 06/01/2023 23:52:26: {SystemGo} Master round timer started.
> 06/01/2023 23:52:26: {SystemGo} Save timer started.
> 06/01/2023 23:52:26: {SystemGo} Janitor round timer started.
> 06/01/2023 23:52:26: {SystemGo} Chronology timer started.
> 06/01/2023 23:52:26: {SystemGo} Lunar cycle timer started.
> 06/01/2023 23:52:26: {SystemGo} Inactivity timer started.
> 06/01/2023 23:52:26: {SystemGo} Listening for connections on port 3000.
> Protocol Server listening to port 4000.
06/01/2023 23:52:26: {SystemGo} Starting main game loop.
Apparently it is indeed that easy. Time to try to put things together.
Composure #
Another YAML file to feed to another tool.
docker-compose.yml
|
|
Comparing it to the separate command lines I was using to bring the containers up:
- The network the containers share will be generated automatically.
- The images are pulled down from repositories if necessary.
- I don’t have to remember to give them both the same database password.
But does it actually work?
Indeed it does.
One More Thing #
Another fun thing to use at GitLab is the container scanning for vulnerabilities. Due to the age of the components, both containers have plenty of known vulnerabilities.
...
[container-scanning] > Scanning container from registry registry.gitlab.com/301days/mssql-dragspinexp: for vulnerabilities with severity level HIGH or higher, ...
+------------+--------------+--------------+---------------------------+------------------------------------------------------------------------+
| STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
+------------+--------------+--------------+---------------------------+------------------------------------------------------------------------+
| Unapproved | High | libssl1.0.0 | 1.0.2n-1ubuntu5.10 | There is a type confusion vulnerability relating to X.400 address proc |
| | | | | essing inside an X.509 GeneralName. X.400 addresses were parsed as an |
...
+------------+--------------+--------------+---------------------------+------------------------------------------------------------------------+
| Unapproved | High | libssl1.1 | 1.1.1-1ubuntu2.1~18.04.20 | There is a type confusion vulnerability relating to X.400 address proc |
| | | | | essing inside an X.509 GeneralName. X.400 addresses were parsed as an |
...
+------------+--------------+--------------+---------------------------+------------------------------------------------------------------------+
| Unapproved | High | openssl | 1.1.1-1ubuntu2.1~18.04.20 | There is a type confusion vulnerability relating to X.400 address proc |
| | | | | essing inside an X.509 GeneralName. X.400 addresses were parsed as an |
...
...
[container-scanning] > Scanning container from registry registry.gitlab.com/libipljoe/drag-spin-exp: for vulnerabilities with severity level HIGH or higher, ...
+------------+--------------+-------------------+------------------------+------------------------------------------------------------------------+
| STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
+------------+--------------+-------------------+------------------------+------------------------------------------------------------------------+
| Unapproved | High | bash | 5.0-4 | A flaw was found in the bash package, where a heap-buffer overflow can |
| | | | | occur in valid parameter_transform. This issue may lead to memory pro |
| | | | | blems. |
+------------+--------------+-------------------+------------------------+------------------------------------------------------------------------+
| Unapproved | High | curl | 7.64.0-4+deb10u6 | A path traversal vulnerability exists in curl <8.0.0 SFTP implementati |
| | | | | on causes the tilde (~) character to be wrongly replaced when used as |
...
+------------+--------------+-------------------+------------------------+------------------------------------------------------------------------+
| Unapproved | High | e2fsprogs | 1.44.5-1+deb10u3 | An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46. |
| | | | | 5. This issue leads to a segmentation fault and possibly arbitrary cod |
| | | | | e execution via a specially crafted filesystem. |
+------------+--------------+-------------------+------------------------+------------------------------------------------------------------------+
| Unapproved | High | gcc-8-base | 8.3.0-6 | stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in fu |
| | | | | nction.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain |
...
I’ll have to see if there are some updates that can minimize those. Tomorrow.
