Masked variables when overriding service commands are empty - gitlab

I want to use Testcontainers for my JUNIT tests and so I created this:
image: gitlab.registry.example:5005/my-custom-maven-image
variables:
MAVEN_CLI_OPTS: "--batch-mode -s $CI_PROJECT_DIR/.m2/settings.xml"
stages:
- test
test:
stage: test
script:
- mvn $MAVEN_CLI_OPTS clean test
services:
- name: docker:dind
alias: docker
command:
- /bin/sh
- -c
- "DOCKER_AUTH_CONFIG=`echo \"{\\\"auths\\\":{\\\"$CI_REGISTRY\\\":{\\\"username\\\":\\\"$CI_REGISTRY_USER\\\",\\\"password\\\":\\\"$CI_REGISTRY_PASSWORD\\\"}}}\"` && mkdir -p \"/root/.docker\" && echo \"${DOCKER_AUTH_CONFIG}\" > \"/root/.docker/config.json\" && cat /root/.docker/config.json && update-ca-certificates && dockerd-entrypoint.sh || exit"
variables:
# Instruct Testcontainers to use the daemon of DinD.
DOCKER_HOST: "tcp://docker:2375"
# Instruct Docker not to start over TLS.
DOCKER_TLS_CERTDIR: ""
DOCKER_TLS_VERIFY: 0
# Improve performance with overlayfs.
DOCKER_DRIVER: overlay2
This gives me the following output when the runner tries to spawn the dind container:
{"auths":{"gitlab.registry.example:5005":{"username":"gitlab-ci-token","password":""}}}
As you can see the password is empty. Printing the CI_REGISTRY_PASSWORD variable in a before_script shows me [masked] as I would expect.
I am about to create an issue in the gitlab-runner project but I wanted to make sure what I did is not wrong beforehand.
Update: Created an issue in the gitlab-runner project

It looks like a bug indeed: CI_REGISTRY_PASSWORD variable is not present at all in the container running DinD service, where it's properly set in job container.
I reproduced your issue by re-using your example in a simplified way:
test:
stage: test
script:
- echo "Registry $CI_REGISTRY - User $CI_REGISTRY_USER - Password $CI_REGISTRY_PASSWORD"
# - sleep 9999
services:
- name: docker:dind
alias: docker
command:
- /bin/sh
- -c
- echo "Registry $CI_REGISTRY - User $CI_REGISTRY_USER - Password $CI_REGISTRY_PASSWORD" && dockerd-entrypoint.sh || exit
This shows in Gitlab UI:
# Services logs (not always shown)
Registry registry.novadiscovery.net - User gitlab-ci-token - Password
# Script logs
$ echo "Registry $CI_REGISTRY - User $CI_REGISTRY_USER - Password $CI_REGISTRY_PASSWORD"
Registry registry.mycompany.com - User gitlab-ci-token - Password [MASKED]
At first I thought the variable was somehow hidden from Gitlab log UI, but instead of being shown as [masked] it was simply not shown at all. However, when inspecting underlying containers running jobs, we can see variable is indeed absent from DinD service:
# Running docker inspect command on machine running Gitlab Runner
# Inspect DinD service container
# CI_REGISTRY_PASSWORD does not exists
docker inspect runner-zz-qri9h-project-663-concurrent-0-8f92ad27e7b78f1c-docker-0 | jq .[0].Config.Env | grep CI_REGISTRY
"CI_REGISTRY_USER=gitlab-ci-token",
"CI_REGISTRY=registry.mycompany.com",
"CI_REGISTRY_IMAGE=registry.mycompany.com/pierre.beucher/sandbox",
# Inspect job container
# CI_REGISTRY_PASSWORD is set
docker inspect runner-zz-qri9h-project-663-concurrent-0-8f92ad27e7b78f1c-build-2 | jq .[0].Config.Env | grep CI_REGISTRY
"CI_REGISTRY_USER=gitlab-ci-token",
"CI_REGISTRY_PASSWORD=xxx",
"CI_REGISTRY=registry.mycompany.com",
"CI_REGISTRY_IMAGE=registry.mycompany.com/pierre.beucher/sandbox",
By comparing variables between job container and service container, it seems all secret or sensible pre-defined CI variables are missing from the services containers. From the above comparison, the following variables were missing (there may be others):
CI_JOB_TOKEN
CI_BUILD_TOKEN
CI_REGISTRY_PASSWORD
CI_REPOSITORY_URL
CI_DEPENDENCY_PROXY_PASSWORD
CI_JOB_JWT
Tested on Gitlab 13.11.3 and Gitlab Runner 13.2.1

Related

Unable to deploy to Azure Container Registry from GitLab

I have the following pipeline:
# .gitlab-ci.yml
stages:
- build
- push
build:
stage: build
services:
- docker:dind
image: docker:latest
script:
# Build the Docker image
- docker build -t myfe:$CI_COMMIT_SHA .
push:
stage: push
image: bitnami/azure-cli
script:
# - echo $DOCKERHUB_PASSWORD | docker login -u $DOCKERHUB_USERNAME --password-stdin
- echo $ACR_CLIENT_ID | docker login mycr.azurecr.io --username $ACR_CLIENT_ID --password-stdin
# Push the Docker image to the ACR
- docker push myfe:$CI_COMMIT_SHA
only:
- main
# before_script:
# - echo "$DOCKERHUB_PASSWORD" | docker login -u "$DOCKERHUB_USERNAME" --password-stdin
variables:
DOCKERHUB_USERNAME: $DOCKERHUB_USERNAME
DOCKERHUB_PASSWORD: $DOCKERHUB_PASSWORD
It results in the following error:
Using docker image sha256:373... for bitnami/azure-cli with digest bitnami/azure-cli#sha256:9128... ...
ERROR: 'sh' is misspelled or not recognized by the system.
Examples from AI knowledge base:
https://aka.ms/cli_ref
Read more about the command in reference docs
Any idea what this might mean?
The bitnami/azure-cli has an entrypoint of az, so your script is running as az parameters.
To solve this, you need to override the entrypoint using: entrypoint: [""] in your gitlab-ci.yml.
For more info check: https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#override-the-entrypoint-of-an-image
If you want to user an Azure CLI image for this .gitlab-ci.yml file, you should use the official Microsoft image instead:
image: mcr.microsoft.com/azure-cli
Works like a charm!

Gitlab CI/CD pipeline on server with custom port not working

Yesterday, I have started setup of Gitlab CI-CD pipeline.
at beginning i have setup gitlab runner,
then i create test ci/cd pipeline & test successfully.
to extend this i have setuping whole deployment structure where
I'm login OCI instance & done all required stuff
but there facing some issue while connecting to oci instance throw gitlab ci/cd pipeline
I have OCI instance with custom port that not working
getting error as
ssh: Could not resolve hostname <server_ip>:<server_port>: nodename nor servname provided, or not known
To Solve this I have modified, gitlab-ci.yml file
where # time connecting server
ssh -p <server_port> <username>#<server_ip>
below is .gitlab-ci.yml
variables:
TAG_LATEST: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_NAME:latest
TAG_COMMIT: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_NAME:$CI_COMMIT_SHORT_SHA
stages:
- build
- test
- publish
- deploy
build-job:
stage: build
script:
- echo "Compiling the code..."
- echo "Compile complete."
unit-test-job:
stage: test
script:
- echo "Test Job Run & Done."
lint-test-job:
stage: test
script:
- echo "No lint issues found."
publish:
# image: docker:latest
stage: publish
services:
# - docker:dind
script:
# - docker build -t $TAG_COMMIT -t $TAG_LATEST .
# - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY
# - docker push $TAG_COMMIT
# - docker push $TAG_LATEST
- echo "publishing code... This will take about 10 seconds."
# - sleep 10
- echo "No publishing issues found."
deploy-job: # This job runs in the deploy stage.
image: alpine:latest
stage: deploy # It only runs when *both* jobs in the test stage complete successfully.
environment: production
script:
- chmod og= $ID_RSA
- apk update && apk add openssh-client
- ssh -i $ID_RSA -o StrictHostKeyChecking=no -p $SSH_PORT $SERVER_USER#$SERVER_IP "pwd"
- echo "Deploying application..."
- echo "Application successfully deployed."
ssh -i $ID_RSA -o StrictHostKeyChecking=no -p $SSH_PORT $SERVER_USER#$SERVER_IP "pwd"

How to use Kaniko inside Gitlab CICD?

I am trying to use Kaniko with Gitlab in order to get rid of the DinD flow.
So, I have this in my .gitlab-ci.yaml
kaniko:
stage: tagging
variables:
CI_REGISTRY: ${AZURE_REGISTRY_USERNAME_DEV}.azurecr.io
CI_REGISTRY_USER: ${AZURE_REGISTRY_USERNAME_DEV}
CI_REGISTRY_PASSWORD: ${AZURE_REGISTRY_PASS_DEV}
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
#
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":\"$(printf "%s:%s" "${CI_REGISTRY_USER}" "${CI_REGISTRY_PASSWORD}" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json
- >-
/kaniko/executor
--context "${CI_PROJECT_DIR}"
--dockerfile "${CI_PROJECT_DIR}/devops/Dockerfile"
--destination "${CI_REGISTRY}/kanikotest:bla"
--verbosity debug
tags: # select gitlab-runner based on this tag(s)
- docker
only:
refs:
- /^feat.*$/
but I keep getting this error in the logs
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "mysuperregistry.azurecr.io/kanikotest:bla": creating push check transport for mysuperregistry.azurecr.io failed: GET https://mysuperregistry.azurecr.io/oauth2/token?scope=repository%3Akanikotest%3Apush%2Cpull&service=mysuperregistry.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.
I am following this guide.
Fun fact... I have successfully deployed Kaniko inside Minikube by creating a secret with the same creds, and I successfully pushed to the same registry.
The syntax of the auth file seems good (I assume the creds are correct), so your code should work if you just set the DOCKER_CONFIG environment variable as following:
kaniko:
stage: tagging
variables:
CI_REGISTRY: ${AZURE_REGISTRY_USERNAME_DEV}.azurecr.io
CI_REGISTRY_USER: ${AZURE_REGISTRY_USERNAME_DEV}
CI_REGISTRY_PASSWORD: ${AZURE_REGISTRY_PASS_DEV}
DOCKER_CONFIG: "$CI_PROJECT_DIR/kanikotest/.docker"
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
- mkdir -p $DOCKER_CONFIG
- echo "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":\"$(printf "%s:%s" "${CI_REGISTRY_USER}" "${CI_REGISTRY_PASSWORD}" | base64 | tr -d '\n')\"}}}" > $DOCKER_CONFIG/config.json
- >-
/kaniko/executor
--context "${CI_PROJECT_DIR}"
--dockerfile "${CI_PROJECT_DIR}/devops/Dockerfile"
--destination "${CI_REGISTRY}/kanikotest:bla"
--digest-file "$CI_PROJECT_DIR/docker-content-digest-kanikotest"
--verbosity info
artifacts:
paths:
- docker-content-digest-kanikotest
Adding an extra directory (kanikotest) inside the DOCKER_CONFIG path will avoid concurrent builds to overwrite the same auth file (not required in your case example but a good practice in general).
The --digest-file option will permit also to save the image SHA for following CI jobs.

edit and execute pipeline *.yml template file from command line [duplicate]

If a GitLab project is configured on GitLab CI, is there a way to run the build locally?
I don't want to turn my laptop into a build "runner", I just want to take advantage of Docker and .gitlab-ci.yml to run tests locally (i.e. it's all pre-configured). Another advantage of that is that I'm sure that I'm using the same environment locally and on CI.
Here is an example of how to run Travis builds locally using Docker, I'm looking for something similar with GitLab.
Since a few months ago this is possible using gitlab-runner:
gitlab-runner exec docker my-job-name
Note that you need both docker and gitlab-runner installed on your computer to get this working.
You also need the image key defined in your .gitlab-ci.yml file. Otherwise won't work.
Here's the line I currently use for testing locally using gitlab-runner:
gitlab-runner exec docker test --docker-volumes "/home/elboletaire/.ssh/id_rsa:/root/.ssh/id_rsa:ro"
Note: You can avoid adding a --docker-volumes with your key setting it by default in /etc/gitlab-runner/config.toml. See the official documentation for more details. Also, use gitlab-runner exec docker --help to see all docker-based runner options (like variables, volumes, networks, etc.).
Due to the confusion in the comments, I paste here the gitlab-runner --help result, so you can see that gitlab-runner can make builds locally:
gitlab-runner --help
NAME:
gitlab-runner - a GitLab Runner
USAGE:
gitlab-runner [global options] command [command options] [arguments...]
VERSION:
1.1.0~beta.135.g24365ee (24365ee)
AUTHOR(S):
Kamil TrzciƄski <ayufan#ayufan.eu>
COMMANDS:
exec execute a build locally
[...]
GLOBAL OPTIONS:
--debug debug mode [$DEBUG]
[...]
As you can see, the exec command is to execute a build locally.
Even though there was an issue to deprecate the current gitlab-runner exec behavior, it ended up being reconsidered and a new version with greater features will replace the current exec functionality.
Note that this process is to use your own machine to run the tests using docker containers. This is not to define custom runners. To do so, just go to your repo's CI/CD settings and read the documentation there. If you wanna ensure your runner is executed instead of one from gitlab.com, add a custom and unique tag to your runner, ensure it only runs tagged jobs and tag all the jobs you want your runner to be responsible of.
I use this docker-based approach:
Edit: 2022-10
docker run --entrypoint bash --rm -w $PWD -v $PWD:$PWD -v /var/run/docker.sock:/var/run/docker.sock gitlab/gitlab-runner:latest -c 'git config --global --add safe.directory "*";gitlab-runner exec docker test'
For all git versions > 2.35.2. You must add safe.directory within the container to avoid fatal: detected dubious ownership in repository at.... This also true for patched git versions < 2.35.2. The old command will not work anymore.
Details
0. Create a git repo to test this answer
mkdir my-git-project
cd my-git-project
git init
git commit --allow-empty -m"Initialize repo to showcase gitlab-runner locally."
1. Go to your git directory
cd my-git-project
2. Create a .gitlab-ci.yml
Example .gitlab-ci.yml
image: alpine
test:
script:
- echo "Hello Gitlab-Runner"
3. Create a docker container with your project dir mounted
docker run -d \
--name gitlab-runner \
--restart always \
-v $PWD:$PWD \
-v /var/run/docker.sock:/var/run/docker.sock \
gitlab/gitlab-runner:latest
(-d) run container in background and print container ID
(--restart always) or not?
(-v $PWD:$PWD) Mount current directory into the current directory of the container - Note: On Windows you could bind your dir to a fixed location, e.g. -v ${PWD}:/opt/myapp. Also $PWD will only work at powershell not at cmd
(-v /var/run/docker.sock:/var/run/docker.sock) This gives the container access to the docker socket of the host so it can start "sibling containers" (e.g. Alpine).
(gitlab/gitlab-runner:latest) Just the latest available image from dockerhub.
4. Execute with
Avoid fatal: detected dubious ownership in repository at... More info
docker exec -it -w $PWD gitlab-runner git config --global --add safe.directory "*"
Actual execution
docker exec -it -w $PWD gitlab-runner gitlab-runner exec docker test
# ^ ^ ^ ^ ^ ^
# | | | | | |
# (a) (b) (c) (d) (e) (f)
(a) Working dir within the container. Note: On Windows you could use a fixed location, e.g. /opt/myapp.
(b) Name of the docker container
(c) Execute the command "gitlab-runner" within the docker container
(d)(e)(f) run gitlab-runner with "docker executer" and run a job named "test"
5. Prints
...
Executing "step_script" stage of the job script
$ echo "Hello Gitlab-Runner"
Hello Gitlab-Runner
Job succeeded
...
Note: The runner will only work on the commited state of your code base. Uncommited changes will be ignored. Exception: The .gitlab-ci.yml itself does not have be commited to be taken into account.
Note: There are some limitations running locally. Have a look at limitations of gitlab runner locally.
I'm currently working on making a gitlab runner that works locally.
Still in the early phases, but eventually it will become very relevant.
It doesn't seem like gitlab want/have time to make this, so here you go.
https://github.com/firecow/gitlab-runner-local
If you are running Gitlab using the docker image there: https://hub.docker.com/r/gitlab/gitlab-ce, it's possible to run pipelines by exposing the local docker.sock with a volume option: -v /var/run/docker.sock:/var/run/docker.sock. Adding this option to the Gitlab container will allow your workers to access to the docker instance on the host.
The GitLab runner appears to not work on Windows yet and there is an open issue to resolve this.
So, in the meantime I am moving my script code out to a bash script, which I can easily map to a docker container running locally and execute.
In this case I want to build a docker container in my job, so I create a script 'build':
#!/bin/bash
docker build --pull -t myimage:myversion .
in my .gitlab-ci.yaml I execute the script:
image: docker:latest
services:
- docker:dind
before_script:
- apk add bash
build:
stage: build
script:
- chmod 755 build
- build
To run the script locally using powershell I can start the required image and map the volume with the source files:
$containerId = docker run --privileged -d -v ${PWD}:/src docker:dind
install bash if not present:
docker exec $containerId apk add bash
Set permissions on the bash script:
docker exec -it $containerId chmod 755 /src/build
Execute the script:
docker exec -it --workdir /src $containerId bash -c 'build'
Then stop the container:
docker stop $containerId
And finally clean up the container:
docker container rm $containerId
Another approach is to have a local build tool that is installed on your pc and your server at the same time.
So basically, your .gitlab-ci.yml will basically call your preferred build tool.
Here an example .gitlab-ci.yml that i use with nuke.build:
stages:
- build
- test
- pack
variables:
TERM: "xterm" # Use Unix ASCII color codes on Nuke
before_script:
- CHCP 65001 # Set correct code page to avoid charset issues
.job_template: &job_definition
except:
- tags
build:
<<: *job_definition
stage: build
script:
- "./build.ps1"
test:
<<: *job_definition
stage: test
script:
- "./build.ps1 test"
variables:
GIT_CHECKOUT: "false"
pack:
<<: *job_definition
stage: pack
script:
- "./build.ps1 pack"
variables:
GIT_CHECKOUT: "false"
only:
- master
artifacts:
paths:
- output/
And in nuke.build i've defined 3 targets named like the 3 stages (build, test, pack)
In this way you have a reproducible setup (all other things are configured with your build tool) and you can test directly the different targets of your build tool.
(i can call .\build.ps1 , .\build.ps1 test and .\build.ps1 pack when i want)
I am on Windows using VSCode with WSL
I didn't want to register my work PC as a runner so instead I'm running my yaml stages locally to test them out before I upload them
$ sudo apt-get install gitlab-runner
$ gitlab-runner exec shell build
yaml
image: node:10.19.0 # https://hub.docker.com/_/node/
# image: node:latest
cache:
# untracked: true
key: project-name
# key: ${CI_COMMIT_REF_SLUG} # per branch
# key:
# files:
# - package-lock.json # only update cache when this file changes (not working) #jkr
paths:
- .npm/
- node_modules
- build
stages:
- prepare # prepares builds, makes build needed for testing
- test # uses test:build specifically #jkr
- build
- deploy
# before_install:
before_script:
- npm ci --cache .npm --prefer-offline
prepare:
stage: prepare
needs: []
script:
- npm install
test:
stage: test
needs: [prepare]
except:
- schedules
tags:
- linux
script:
- npm run build:dev
- npm run test:cicd-deps
- npm run test:cicd # runs puppeteer tests #jkr
artifacts:
reports:
junit: junit.xml
paths:
- coverage/
build-staging:
stage: build
needs: [prepare]
only:
- schedules
before_script:
- apt-get update && apt-get install -y zip
script:
- npm run build:stage
- zip -r build.zip build
# cache:
# paths:
# - build
# <<: *global_cache
# policy: push
artifacts:
paths:
- build.zip
deploy-dev:
stage: deploy
needs: [build-staging]
tags: [linux]
only:
- schedules
# # - branches#gitlab-org/gitlab
before_script:
- apt-get update && apt-get install -y lftp
script:
# temporarily using 'verify-certificate no'
# for more on verify-certificate #jkr: https://www.versatilewebsolutions.com/blog/2014/04/lftp-ftps-and-certificate-verification.html
# variables do not work with 'single quotes' unless they are "'surrounded by doubles'"
- lftp -e "set ssl:verify-certificate no; open mediajackagency.com; user $LFTP_USERNAME $LFTP_PASSWORD; mirror --reverse --verbose build/ /var/www/domains/dev/clients/client/project/build/; bye"
# environment:
# name: staging
# url: http://dev.mediajackagency.com/clients/client/build
# # url: https://stg2.client.co
when: manual
allow_failure: true
build-production:
stage: build
needs: [prepare]
only:
- schedules
before_script:
- apt-get update && apt-get install -y zip
script:
- npm run build
- zip -r build.zip build
# cache:
# paths:
# - build
# <<: *global_cache
# policy: push
artifacts:
paths:
- build.zip
deploy-client:
stage: deploy
needs: [build-production]
tags: [linux]
only:
- schedules
# - master
before_script:
- apt-get update && apt-get install -y lftp
script:
- sh deploy-prod
environment:
name: production
url: http://www.client.co
when: manual
allow_failure: true
The idea is to keep check commands outside of .gitlab-ci.yml. I use Makefile to run something like make check and my .gitlab-ci.yml runs the same make commands that I use locally to check various things before committing.
This way you'll have one place with all/most of your commands (Makefile) and .gitlab-ci.yml will have only CI-related stuff.
I have written a tool to run all GitLab-CI job locally without have to commit or push, simply with the command ci-toolbox my_job_name.
The URL of the project : https://gitlab.com/mbedsys/citbx4gitlab
Years ago I build this simple solution with Makefile and docker-compose to run the gitlab runner in docker, you can use it to execute jobs locally as well and should work on all systems where docker works:
https://gitlab.com/1oglop1/gitlab-runner-docker
There are few things to change in the docker-compose.override.yaml
version: "3"
services:
runner:
working_dir: <your project dir>
environment:
- REGISTRATION_TOKEN=<token if you want to register>
volumes:
- "<your project dir>:<your project dir>"
Then inside your project you can execute it the same way as mentioned in other answers:
docker exec -it -w $PWD runner gitlab-runner exec <commands>..
I recommend using gitlab-ci-local
https://github.com/firecow/gitlab-ci-local
It's able to run specific jobs as well.
It's a very cool project and I have used it to run simple pipelines on my laptop.

Gitlab configuration postgresql service

Just getting started with GitLab and I can't seem to get my configuration working. I'm using the following:
image: maven:3.3-jdk-8-alpine
stages:
- prepare
- build
services:
- postgres:latest
variables:
POSTGRES_DB: my_database
POSTGRES_USER: runner
POSTGRES_PASSWORD: runner
prepare_db:
stage: prepare
image: postgres
script:
- export PGPASSWORD=$POSTGRES_PASSWORD
- psql -h "postgres" -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "CREATE EXTENSION \"uuid-ossp\";"
build:
stage: build
script: mvn clean test
It works fine if I simply want to compile my code, the build would then simply be mvn clean compile but to run the tests I need a PostgreSQL instance. In my code I rely on UUIDs so I need to ensure that the uuid-ossp extension is installed.
In my prepare_db job I can connect to the Postgres instance and execute the command, I have also verified that the extension is installed properly by issuing a second script command SELECT uuid_generate_v4(); and it returns a uuid.
When the runner gets to the build job it keeps telling me that the uuid_generate_v4() function is not present. Is my prepare_db job being run on a different Postgres instance?
It is happening because prepare_db job is completely isolated from build job. So basically it doesn't prepare anything. To fix it do next steps:
.prepare_db: &prepare_db |
export PGPASSWORD=$POSTGRES_PASSWORD
psql -h "postgres" -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "CREATE EXTENSION \"uuid-ossp\";"
build:
stage: build
script:
- *prepare_db
- mvn clean test

Resources