bigtop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Boudnik <...@apache.org>
Subject Re: CI improvements [Was: The state of new CI]
Date Sat, 26 Dec 2015 04:48:20 GMT
On Wed, Dec 23, 2015 at 01:13PM, Roman Shaposhnik wrote:
> On Wed, Dec 23, 2015 at 12:34 PM, Konstantin Boudnik <cos@apache.org> wrote:
> > Guys,
> >
> > I've been trying to replicate our CI elsewhere and here's a couple of
> > observations and proposed fixes that might do such things easier in the
> > future.
> >
> > 1. Running build as root inside of the docker container.
> >
> >    This seems like a real issue, especially considering that we have always
> >    advocated to stay away from such practice. Unfortunately, adding
> >     -u jenkins:jenkins
> >    to docker run snags on a couple of points
> 
> Can you elaborate on this?

After 2 days I suddenly understood what you were asking me about ;) There's
not a single JIRA in my original email that is clearly connected to the snags.

The main issue is that running a build inside of a container (as non-root
user) is in jeopardy of folder permissions, used as a volume in the the
container. One way around it, as we have discussed off-line last night, is to
create effective user insides of the container dynamically. This is hack, of
course, but in reality the whole docker is a chroot hack, so how much worst
it could be, right?

These's some potential security implications in the approach like this, but
considering that we are running a pretty tight ship, controlling the
CI environment, we should be fine.

Cos

Mime
View raw message