[Buildbot-devel] Running buildslaves in chroot

Dan Kegel dank at kegel.com
Sat Nov 29 22:59:48 UTC 2014 

Yup.
Though with the uid namespace it's verging on offering some actual security.
They're certainly trying to get there.
On Nov 29, 2014 2:07 PM, "Michael Hansen" <michael.schacht.hansen at gmail.com>
wrote:

> Clearly one does not set up an automated build system to improve security,
> but I was just wondering what is best practice. I really appreciate all the
> thoughts that you guys have.
>
> So if I run in a chroot jail (or lxc) as a non-privileges user. I just
> tested that and it works fine. Now if I have a few steps that need root
> privileges and to enable that I give the non privileged user the ability to
> run sudo commands, isn't that (almost) as bad as running the buildslave
> directly as root. It is one step more obscure, but would still be
> fundamentally as vulnerable, right?
>
> On Sat, Nov 29, 2014 at 4:42 PM, Dan Kegel <dank at kegel.com> wrote:
>
>> I do all those things in the lxc container using sudo.
>>
>> In the end, a chroot or lxc build is about reproducibility, not real
>> security.
>> On Nov 29, 2014 1:29 PM, "Michael Hansen" <
>> michael.schacht.hansen at gmail.com> wrote:
>>
>>> I guess my problem is that I would like to run things like debootstrap,
>>> install packages, etc as part of the build process. So I would like for the
>>> buildsystem to be able to do that. So clearly that is not ideal. But given
>>> that a limited number of people can commit code and they all have root
>>> access to the build system already (ie if they wanted to do something
>>> malicious, there would be easier ways), does it add any additional risk to
>>> run it as root in a chroot environment? The chroot environment would just
>>> prevent anybody from accidentally wiping out the build host.
>>>
>>> On Sat, Nov 29, 2014 at 4:22 PM, Dan Kegel <dank at kegel.com> wrote:
>>>
>>>> Neither.  Run it as a normal user in an lxc environment (ideally an
>>>> ephemeral one).
>>>>
>>>> Of course, that's only slightly more secure than running as a normal
>>>> user in the main system, but it's something.
>>>>
>>>> On Sat, Nov 29, 2014 at 1:11 PM, Michael Hansen
>>>> <michael.schacht.hansen at gmail.com> wrote:
>>>> > Hi Dan,
>>>> >
>>>> > Thank you for your comments. Nothing is ever really perfectly safe. I
>>>> guess
>>>> > my question could also be rephrased as: what is best from a security
>>>> > perspective? A) running buildslave as a regular user in the main
>>>> system or
>>>> > B) running it (as root) in a chroot environment?
>>>> >
>>>> > On Sat, Nov 29, 2014 at 4:01 PM, Dan Kegel <dank at kegel.com> wrote:
>>>> >>
>>>> >> I've been doing this with linux containers for some time.
>>>> >>
>>>> >> Containers are not yet a security solution.  You can escape out of a
>>>> >> chroot jail (the exploit's a bit different for lxc containers, but
>>>> >> still available).
>>>> >>
>>>> >> But it's worth it just for the isolation alone; my builds need to
>>>> >> install debian packages, and I use ephemeral lxc containers for the
>>>> >> linux buildslaves to get a fresh vanilla system every time.
>>>> >>
>>>> >>
>>>> >> On Sat, Nov 29, 2014 at 12:46 PM, Michael Hansen
>>>> >> <michael.schacht.hansen at gmail.com> wrote:
>>>> >> > Hi,
>>>> >> >
>>>> >> > I have been using buildbot a while now, it has been a great help
>>>> to our
>>>> >> > project.
>>>> >> >
>>>> >> > I am looking to add some sophistication to our setup and I am
>>>> >> > considering
>>>> >> > running the buildslaves in chroot environment to a) be able to
>>>> build for
>>>> >> > multiple distros/releases on the same host, b) isolate the build
>>>> slaves
>>>> >> > from
>>>> >> > the main system, and c) run a few build steps as root (we generate
>>>> some
>>>> >> > distribution images and root privileges are needed to run some of
>>>> the
>>>> >> > tools,
>>>> >> > e.g. debootstrap and others).
>>>> >> >
>>>> >> > In my buildslaves i need access to the /proc (for some GPU unit
>>>> tests)
>>>> >> > filesystem so I mount that in the chroot environment but other
>>>> than that
>>>> >> > the
>>>> >> > slave does not have access to the main system.
>>>> >> >
>>>> >> > My question is, is this safe? Are there any security issues with
>>>> running
>>>> >> > in
>>>> >> > a chroot jail or is it inherently safer than running it in the main
>>>> >> > system?
>>>> >> >
>>>> >> > Thanks,
>>>> >> > Michael
>>>> >> >
>>>> >> >
>>>> >> >
>>>> >> >
>>>> >> >
>>>> ------------------------------------------------------------------------------
>>>> >> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>> >> > from Actuate! Instantly Supercharge Your Business Reports and
>>>> Dashboards
>>>> >> > with Interactivity, Sharing, Native Excel Exports, App Integration
>>>> &
>>>> >> > more
>>>> >> > Get technology previously reserved for billion-dollar
>>>> corporations, FREE
>>>> >> >
>>>> >> >
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>>>> >> > _______________________________________________
>>>> >> > Buildbot-devel mailing list
>>>> >> > Buildbot-devel at lists.sourceforge.net
>>>> >> > https://lists.sourceforge.net/lists/listinfo/buildbot-devel
>>>> >> >
>>>> >
>>>> >
>>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://buildbot.net/pipermail/devel/attachments/20141129/9e9ee830/attachment.html>

More information about the devel mailing list