[Buildbot-devel] Running buildslaves in chroot

Dan Kegel dank at kegel.com
Sat Nov 29 21:55:55 UTC 2014


Yeah, I may be behind the times,
https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
says
that CONFIG_USER_NS is used by the latest lxc.

On Sat, Nov 29, 2014 at 1:42 PM, Dan Kegel <dank at kegel.com> wrote:
> I do all those things in the lxc container using sudo.
>
> In the end, a chroot or lxc build is about reproducibility, not real
> security.
>
> On Nov 29, 2014 1:29 PM, "Michael Hansen" <michael.schacht.hansen at gmail.com>
> wrote:
>>
>> I guess my problem is that I would like to run things like debootstrap,
>> install packages, etc as part of the build process. So I would like for the
>> buildsystem to be able to do that. So clearly that is not ideal. But given
>> that a limited number of people can commit code and they all have root
>> access to the build system already (ie if they wanted to do something
>> malicious, there would be easier ways), does it add any additional risk to
>> run it as root in a chroot environment? The chroot environment would just
>> prevent anybody from accidentally wiping out the build host.
>>
>> On Sat, Nov 29, 2014 at 4:22 PM, Dan Kegel <dank at kegel.com> wrote:
>>>
>>> Neither.  Run it as a normal user in an lxc environment (ideally an
>>> ephemeral one).
>>>
>>> Of course, that's only slightly more secure than running as a normal
>>> user in the main system, but it's something.
>>>
>>> On Sat, Nov 29, 2014 at 1:11 PM, Michael Hansen
>>> <michael.schacht.hansen at gmail.com> wrote:
>>> > Hi Dan,
>>> >
>>> > Thank you for your comments. Nothing is ever really perfectly safe. I
>>> > guess
>>> > my question could also be rephrased as: what is best from a security
>>> > perspective? A) running buildslave as a regular user in the main system
>>> > or
>>> > B) running it (as root) in a chroot environment?
>>> >
>>> > On Sat, Nov 29, 2014 at 4:01 PM, Dan Kegel <dank at kegel.com> wrote:
>>> >>
>>> >> I've been doing this with linux containers for some time.
>>> >>
>>> >> Containers are not yet a security solution.  You can escape out of a
>>> >> chroot jail (the exploit's a bit different for lxc containers, but
>>> >> still available).
>>> >>
>>> >> But it's worth it just for the isolation alone; my builds need to
>>> >> install debian packages, and I use ephemeral lxc containers for the
>>> >> linux buildslaves to get a fresh vanilla system every time.
>>> >>
>>> >>
>>> >> On Sat, Nov 29, 2014 at 12:46 PM, Michael Hansen
>>> >> <michael.schacht.hansen at gmail.com> wrote:
>>> >> > Hi,
>>> >> >
>>> >> > I have been using buildbot a while now, it has been a great help to
>>> >> > our
>>> >> > project.
>>> >> >
>>> >> > I am looking to add some sophistication to our setup and I am
>>> >> > considering
>>> >> > running the buildslaves in chroot environment to a) be able to build
>>> >> > for
>>> >> > multiple distros/releases on the same host, b) isolate the build
>>> >> > slaves
>>> >> > from
>>> >> > the main system, and c) run a few build steps as root (we generate
>>> >> > some
>>> >> > distribution images and root privileges are needed to run some of
>>> >> > the
>>> >> > tools,
>>> >> > e.g. debootstrap and others).
>>> >> >
>>> >> > In my buildslaves i need access to the /proc (for some GPU unit
>>> >> > tests)
>>> >> > filesystem so I mount that in the chroot environment but other than
>>> >> > that
>>> >> > the
>>> >> > slave does not have access to the main system.
>>> >> >
>>> >> > My question is, is this safe? Are there any security issues with
>>> >> > running
>>> >> > in
>>> >> > a chroot jail or is it inherently safer than running it in the main
>>> >> > system?
>>> >> >
>>> >> > Thanks,
>>> >> > Michael
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> > ------------------------------------------------------------------------------
>>> >> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> >> > from Actuate! Instantly Supercharge Your Business Reports and
>>> >> > Dashboards
>>> >> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>>> >> > more
>>> >> > Get technology previously reserved for billion-dollar corporations,
>>> >> > FREE
>>> >> >
>>> >> >
>>> >> > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>>> >> > _______________________________________________
>>> >> > Buildbot-devel mailing list
>>> >> > Buildbot-devel at lists.sourceforge.net
>>> >> > https://lists.sourceforge.net/lists/listinfo/buildbot-devel
>>> >> >
>>> >
>>> >
>>
>>
>




More information about the devel mailing list