[Buildbot-devel] Running buildslaves in chroot
Michael Hansen
michael.schacht.hansen at gmail.com
Sat Nov 29 21:11:32 UTC 2014
Hi Dan,
Thank you for your comments. Nothing is ever really perfectly safe. I guess
my question could also be rephrased as: what is best from a security
perspective? A) running buildslave as a regular user in the main system or
B) running it (as root) in a chroot environment?
On Sat, Nov 29, 2014 at 4:01 PM, Dan Kegel <dank at kegel.com> wrote:
> I've been doing this with linux containers for some time.
>
> Containers are not yet a security solution. You can escape out of a
> chroot jail (the exploit's a bit different for lxc containers, but
> still available).
>
> But it's worth it just for the isolation alone; my builds need to
> install debian packages, and I use ephemeral lxc containers for the
> linux buildslaves to get a fresh vanilla system every time.
>
>
> On Sat, Nov 29, 2014 at 12:46 PM, Michael Hansen
> <michael.schacht.hansen at gmail.com> wrote:
> > Hi,
> >
> > I have been using buildbot a while now, it has been a great help to our
> > project.
> >
> > I am looking to add some sophistication to our setup and I am considering
> > running the buildslaves in chroot environment to a) be able to build for
> > multiple distros/releases on the same host, b) isolate the build slaves
> from
> > the main system, and c) run a few build steps as root (we generate some
> > distribution images and root privileges are needed to run some of the
> tools,
> > e.g. debootstrap and others).
> >
> > In my buildslaves i need access to the /proc (for some GPU unit tests)
> > filesystem so I mount that in the chroot environment but other than that
> the
> > slave does not have access to the main system.
> >
> > My question is, is this safe? Are there any security issues with running
> in
> > a chroot jail or is it inherently safer than running it in the main
> system?
> >
> > Thanks,
> > Michael
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Buildbot-devel mailing list
> > Buildbot-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/buildbot-devel
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://buildbot.net/pipermail/devel/attachments/20141129/677413c4/attachment.html>
More information about the devel
mailing list