[Buildbot-devel] Running buildslaves in chroot
Dan Kegel
dank at kegel.com
Sat Nov 29 21:42:19 UTC 2014
I do all those things in the lxc container using sudo.
In the end, a chroot or lxc build is about reproducibility, not real
security.
On Nov 29, 2014 1:29 PM, "Michael Hansen" <michael.schacht.hansen at gmail.com>
wrote:
> I guess my problem is that I would like to run things like debootstrap,
> install packages, etc as part of the build process. So I would like for the
> buildsystem to be able to do that. So clearly that is not ideal. But given
> that a limited number of people can commit code and they all have root
> access to the build system already (ie if they wanted to do something
> malicious, there would be easier ways), does it add any additional risk to
> run it as root in a chroot environment? The chroot environment would just
> prevent anybody from accidentally wiping out the build host.
>
> On Sat, Nov 29, 2014 at 4:22 PM, Dan Kegel <dank at kegel.com> wrote:
>
>> Neither. Run it as a normal user in an lxc environment (ideally an
>> ephemeral one).
>>
>> Of course, that's only slightly more secure than running as a normal
>> user in the main system, but it's something.
>>
>> On Sat, Nov 29, 2014 at 1:11 PM, Michael Hansen
>> <michael.schacht.hansen at gmail.com> wrote:
>> > Hi Dan,
>> >
>> > Thank you for your comments. Nothing is ever really perfectly safe. I
>> guess
>> > my question could also be rephrased as: what is best from a security
>> > perspective? A) running buildslave as a regular user in the main system
>> or
>> > B) running it (as root) in a chroot environment?
>> >
>> > On Sat, Nov 29, 2014 at 4:01 PM, Dan Kegel <dank at kegel.com> wrote:
>> >>
>> >> I've been doing this with linux containers for some time.
>> >>
>> >> Containers are not yet a security solution. You can escape out of a
>> >> chroot jail (the exploit's a bit different for lxc containers, but
>> >> still available).
>> >>
>> >> But it's worth it just for the isolation alone; my builds need to
>> >> install debian packages, and I use ephemeral lxc containers for the
>> >> linux buildslaves to get a fresh vanilla system every time.
>> >>
>> >>
>> >> On Sat, Nov 29, 2014 at 12:46 PM, Michael Hansen
>> >> <michael.schacht.hansen at gmail.com> wrote:
>> >> > Hi,
>> >> >
>> >> > I have been using buildbot a while now, it has been a great help to
>> our
>> >> > project.
>> >> >
>> >> > I am looking to add some sophistication to our setup and I am
>> >> > considering
>> >> > running the buildslaves in chroot environment to a) be able to build
>> for
>> >> > multiple distros/releases on the same host, b) isolate the build
>> slaves
>> >> > from
>> >> > the main system, and c) run a few build steps as root (we generate
>> some
>> >> > distribution images and root privileges are needed to run some of the
>> >> > tools,
>> >> > e.g. debootstrap and others).
>> >> >
>> >> > In my buildslaves i need access to the /proc (for some GPU unit
>> tests)
>> >> > filesystem so I mount that in the chroot environment but other than
>> that
>> >> > the
>> >> > slave does not have access to the main system.
>> >> >
>> >> > My question is, is this safe? Are there any security issues with
>> running
>> >> > in
>> >> > a chroot jail or is it inherently safer than running it in the main
>> >> > system?
>> >> >
>> >> > Thanks,
>> >> > Michael
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> ------------------------------------------------------------------------------
>> >> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> >> > from Actuate! Instantly Supercharge Your Business Reports and
>> Dashboards
>> >> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>> >> > more
>> >> > Get technology previously reserved for billion-dollar corporations,
>> FREE
>> >> >
>> >> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>> >> > _______________________________________________
>> >> > Buildbot-devel mailing list
>> >> > Buildbot-devel at lists.sourceforge.net
>> >> > https://lists.sourceforge.net/lists/listinfo/buildbot-devel
>> >> >
>> >
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://buildbot.net/pipermail/devel/attachments/20141129/456f34f9/attachment.html>
More information about the devel
mailing list