SSRF in Kubernetes integration
The GitLab Kubernetes integration was vulnerable to a SSRF issue which could allow an attacker to make requests to access any internal URLs. The issue is now mitigated in the latest release and is assigned CVE-2018-18843.
This module permits to preload Docker image in a VM in order to reduce
OIs on file copies. This module has to be only used in testing
environments, when the test requires several Docker images such as in
Kubernetes tests. In this case,
`virtualisation.dockerPreloader.images` can replace the
`services.kubernetes.kubelet.seedDockerImages` options.
The idea is to populate the /var/lib/docker directory by mounting qcow
files (we uses qcow file to avoid permission issues) that contain images.
For each image specified in
config.virtualisation.dockerPreloader.images:
1. The image is loaded by Docker in a VM
2. The resulting /var/lib/docker is written to a QCOW file
This set of QCOW files can then be used to populate the
/var/lib/docker:
1. Each QCOW is mounted in the VM
2. Symlink are created from these mount points to /var/lib/docker
3. A /var/lib/docker/image/overlay2/repositories.json file is generated
4. The docker daemon is started.
We keep the latest minor release of each one of the last 3 major releases,
which currently are GHC versions 8.2.2, 8.4.4, and 8.6.1. We also have
ghc-HEAD, but this doesn't count.
Dropping these compilers implied that we have to drop the corresponding
versions of ghcjs, too. We can also drop a shitload of obsolete compiler
patches that newer versions no longer need.
At some point, we can probably simplify the generic builder, too.
This makes pgjwt take a dummy 'postgresql' argument, which it does not *need*
in the buildInputs (it is purely a SQL extension with no C code). However, this
argument will be necessary for an upcoming change that will parameterize the
extensions over a particular PostgreSQL version.
It also does some tiny cleanup, setting a null build phase.
Signed-off-by: Austin Seipp <aseipp@pobox.com>