[Buildbot-devel] Running buildslaves in chroot

Dan Kegel dank at kegel.com
Sat Nov 29 21:01:42 UTC 2014


I've been doing this with linux containers for some time.

Containers are not yet a security solution.  You can escape out of a
chroot jail (the exploit's a bit different for lxc containers, but
still available).

But it's worth it just for the isolation alone; my builds need to
install debian packages, and I use ephemeral lxc containers for the
linux buildslaves to get a fresh vanilla system every time.


On Sat, Nov 29, 2014 at 12:46 PM, Michael Hansen
<michael.schacht.hansen at gmail.com> wrote:
> Hi,
>
> I have been using buildbot a while now, it has been a great help to our
> project.
>
> I am looking to add some sophistication to our setup and I am considering
> running the buildslaves in chroot environment to a) be able to build for
> multiple distros/releases on the same host, b) isolate the build slaves from
> the main system, and c) run a few build steps as root (we generate some
> distribution images and root privileges are needed to run some of the tools,
> e.g. debootstrap and others).
>
> In my buildslaves i need access to the /proc (for some GPU unit tests)
> filesystem so I mount that in the chroot environment but other than that the
> slave does not have access to the main system.
>
> My question is, is this safe? Are there any security issues with running in
> a chroot jail or is it inherently safer than running it in the main system?
>
> Thanks,
> Michael
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Buildbot-devel mailing list
> Buildbot-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/buildbot-devel
>




More information about the devel mailing list