[Buildbot-devel] Running buildslaves in chroot

Dan Kegel dank at kegel.com
Sat Nov 29 21:22:18 UTC 2014


Neither.  Run it as a normal user in an lxc environment (ideally an
ephemeral one).

Of course, that's only slightly more secure than running as a normal
user in the main system, but it's something.

On Sat, Nov 29, 2014 at 1:11 PM, Michael Hansen
<michael.schacht.hansen at gmail.com> wrote:
> Hi Dan,
>
> Thank you for your comments. Nothing is ever really perfectly safe. I guess
> my question could also be rephrased as: what is best from a security
> perspective? A) running buildslave as a regular user in the main system or
> B) running it (as root) in a chroot environment?
>
> On Sat, Nov 29, 2014 at 4:01 PM, Dan Kegel <dank at kegel.com> wrote:
>>
>> I've been doing this with linux containers for some time.
>>
>> Containers are not yet a security solution.  You can escape out of a
>> chroot jail (the exploit's a bit different for lxc containers, but
>> still available).
>>
>> But it's worth it just for the isolation alone; my builds need to
>> install debian packages, and I use ephemeral lxc containers for the
>> linux buildslaves to get a fresh vanilla system every time.
>>
>>
>> On Sat, Nov 29, 2014 at 12:46 PM, Michael Hansen
>> <michael.schacht.hansen at gmail.com> wrote:
>> > Hi,
>> >
>> > I have been using buildbot a while now, it has been a great help to our
>> > project.
>> >
>> > I am looking to add some sophistication to our setup and I am
>> > considering
>> > running the buildslaves in chroot environment to a) be able to build for
>> > multiple distros/releases on the same host, b) isolate the build slaves
>> > from
>> > the main system, and c) run a few build steps as root (we generate some
>> > distribution images and root privileges are needed to run some of the
>> > tools,
>> > e.g. debootstrap and others).
>> >
>> > In my buildslaves i need access to the /proc (for some GPU unit tests)
>> > filesystem so I mount that in the chroot environment but other than that
>> > the
>> > slave does not have access to the main system.
>> >
>> > My question is, is this safe? Are there any security issues with running
>> > in
>> > a chroot jail or is it inherently safer than running it in the main
>> > system?
>> >
>> > Thanks,
>> > Michael
>> >
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>> > more
>> > Get technology previously reserved for billion-dollar corporations, FREE
>> >
>> > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>> > _______________________________________________
>> > Buildbot-devel mailing list
>> > Buildbot-devel at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/buildbot-devel
>> >
>
>




More information about the devel mailing list