As usual, if you are a visual learner, or just prefer to watch and listen alternatively of read, here you have the video, which to be fair is much more complete than this post .
link to the video : hypertext transfer protocol : //youtu.be/9TOJqJSHVvI
If you rather prefer reading, well … let ‘s fair continue : )
today I have to talk about something I ‘d prefer not to, but unfortunately this is happening, and it ‘s happening intemperate. So let ‘s speak about crypto mining and its deleterious effect on rid CI/CD platform .
A Work on Mining
We all know crypto mining, the process in which transactions for diverse forms of cryptocurrency are verified and added to the blockchain digital ledger, using the computing exponent of computers or graphics card, and for which miners are rewarded with crypto currencies directly .
We probably all know that this is affecting many aspects of our current time. For example, the stream and past generation of graphics cards are indeed good and fast for mining that it ‘s basically impossible to buy a graphics card right nowadays, or if you find one the price is crazy. All the issue is basically taken up by miners, and few very lucky gamers .
How Does Mining Cryptocurrencies Affect CI Platforms
Ok, but how does this affect the CI/CD platforms ? I ‘m glad you asked .
due to the miss of handiness of graphics cards, and the constantly increasing act of miners thanks to the ascent in value of cryptocurrencies, miners have started trying to find alternate ways for mining .
They first started using Cloud services but promptly realized that the cost for constantly running bombastic instances was higher than the profit they were able to get. And this is when they started looking at the free CI providers .
Hosted build agents are fairly potent, having to take care of compilation and so forth, and most platforms have a free tier, particularly for public repositories. herculean machines for barren, a miner ‘s dream fall true .
And this is precisely the trouble. They have started writing script, pushing them to public repositories, and take advantage of those free CI agents to run their mining software. And as the unlike providers started blocking those attempts, miners adapted and started writing reasonably complex software and scripts to “ mask ” the real reasons why they were using the repos and CI agents .
There are countless examples, but here is one just to make you understand the gravity of the problem. There was a user on GitHub who created a elementary repo, which seemed a legit one at a foremost look .
In the repo this user had the definition for 5 unlike CI providers, including GitHub Actions, CircleCI, TravisCI and others, and all were configured in automatic pistol CI. The exploiter had roughly 1 commit every hour, which in turn kicked off all 5 of those CI … and the handwriting that was run was in fact a crypto miner. You can imagine how much resources that user entirely has consumed .
And in fact, if you have noticed your host CI agent being slower than usual or picking up jobs with a greater stay most likely it ‘s because of this. And not lone on exempt CI, but besides on paid hundred and one platforms … because the resources are the same. But if the problem was barely some retardation, we would n’t be hera talking about this .
The problem is much bigger. therefore a lot so that basically all the CI providers have stopped offering complimentary tiers or, in the best cases, they ‘ve implemented great limitations on the services .
Microsoft is not providing anymore free coincident CI for their Azure Pipelines for new organizations. If the users want them, they need to request for them and provide extra information to verify they are eligible .
TravisCI is taking it a step further, completely removing the free tier, and giving to existing users a trial with an measure of free credits. When the credits are exhausted, if a drug user wants to keep using CI then they will have to buy a pay plan .
GitLab, takes a different approach .
beginning, they require new users to verify their explanation adding a credit card to their account before they can start using the host CI agents. Existing users are not presently required to insert a credit card number, but they may be in future.
Second, they are removing the unlimited exempt minutes that were previously assigned to public projects, and setting a specify to 400 free minutes alternatively .
Circle CI has never had a wholly dislodge design, but lone a free award of 2500 credits per calendar month .
While they have n’t change that, at least not even, they ‘ve published an article saying that they have a whole team, and I quote, “ of security experts, operations engineers, data scientists, and developers whose ongoing work comprises spotting and eradicating pervert of our platform ” .
This of course is a huge cost for the company, and if things will continue like this they will need to find a way to get the money back … you make of this what you want .
finally, GitHub Actions is the only supplier that I ‘m aware of which has hush a completely exempt unlimited use of their CI and has not changed that .
however, they did mention in a post on their public blog that the Actions teams have spent thousands of hours fighting against miners. As in the CircleCI encase, this comes at a monetary value. Having engineering teams focusing on fighting miners most probably means they have less fourth dimension to focus on improving and developing the military service .
And they are besides saying that they are rolling out features and improvements to help upholder of Open Source projects having a better control of their hundred and one when it comes to Pull Requests and Forks .
And I could continue for long, because exchangeable things are happening from each and every CI supplier .
Is there anything we can do to avoid this ? unfortunately, I ‘m afraid the answer is no .
Providers can do their best to enforce terms of service and take other measures, but adenine long as it ‘s profitable and untraceable to make such attacks, miners will continue to become more sophisticated and outwit measures .
The only hope is for crypto networks to amply disable the current computation-based mining as a means to earn new coins, switching entirely to a proof-of-stake ( POS ) validation model. It sounds impossible, but it is actually already happening. Ethereum in fact recently announced they will do precisely that .
Let me know in the comment incision below what you think about this sensitive subject .
Like, share and follow me 🚀 for more capacity :
☕ Buy me a coffee
🌐 CoderDave.io Website
👦🏻 Facebook page