Return-Path: X-Original-To: apmail-bigtop-user-archive@www.apache.org Delivered-To: apmail-bigtop-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EB81D18D12 for ; Sat, 26 Dec 2015 04:48:36 +0000 (UTC) Received: (qmail 86983 invoked by uid 500); 26 Dec 2015 04:48:36 -0000 Delivered-To: apmail-bigtop-user-archive@bigtop.apache.org Received: (qmail 86896 invoked by uid 500); 26 Dec 2015 04:48:36 -0000 Mailing-List: contact user-help@bigtop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@bigtop.apache.org Delivered-To: mailing list user@bigtop.apache.org Received: (qmail 86887 invoked by uid 99); 26 Dec 2015 04:48:36 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 26 Dec 2015 04:48:36 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 31433C059C for ; Sat, 26 Dec 2015 04:48:36 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id fQfkumrg_wNr for ; Sat, 26 Dec 2015 04:48:30 +0000 (UTC) Received: from resqmta-po-01v.sys.comcast.net (resqmta-po-01v.sys.comcast.net [96.114.154.160]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id ABC432026A for ; Sat, 26 Dec 2015 04:48:29 +0000 (UTC) Received: from resomta-po-15v.sys.comcast.net ([96.114.154.239]) by resqmta-po-01v.sys.comcast.net with comcast id y4oE1r0015AAYLo014oM9U; Sat, 26 Dec 2015 04:48:21 +0000 Received: from tpx ([24.130.135.131]) by resomta-po-15v.sys.comcast.net with comcast id y4oL1r00D2qGB60014oM5j; Sat, 26 Dec 2015 04:48:21 +0000 Received: from localhost (localhost [127.0.0.1]) by tpx (Postfix) with ESMTP id 94D182133FD70; Fri, 25 Dec 2015 20:48:20 -0800 (PST) Date: Fri, 25 Dec 2015 20:48:20 -0800 From: Konstantin Boudnik To: dev@bigtop.apache.org, user@bigtop.apache.org Subject: Re: CI improvements [Was: The state of new CI] Message-ID: <20151226044820.GB4288@tpx> Mail-Followup-To: dev@bigtop.apache.org, user@bigtop.apache.org References: <20151223203434.GC10680@tpx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Fba/0zbH8Xs+Fj9o" Content-Disposition: inline In-Reply-To: X-Organization: It's something of 'Cos X-PGP-Key: http://www.boudnik.org/~cos/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1451105301; bh=69u6o0sgip3RnICyOjhKnHunnpGaZc5lkQwFsegcciw=; h=Received:Received:Received:Date:From:To:Subject:Message-ID: MIME-Version:Content-Type; b=kjulHDSNLQSIx79dQsl3U9Mj/F0BI7ZiWEkB9kti1WepE0xUlU1gs/jmSgR8CA0Lo cUVxeucgm0vgHvMVMYSeW/UdL6zKYcBbYcL12h4QpMXvwFyeax9vUwZ3qZVKgSWzgZ h2/HvvWgUQDVw3ZKR3fhWJj7ryapKNKJfJMYYsJFXzufpvqUA5baf51qbZBBh1zKMU NAq4yCWSj5Dnw12ZfXcORL7zTBzC6qTZLfCN5MWltE8tkoVzcpekvgV59QlHigTkvU oBRmXu2SMPpDJycxDtrKfupZzEzLdDTnqJDR0a2hGbs2ARA9GL/AICKJS3zIKJIF+V eJqlXsqCAr56g== --Fba/0zbH8Xs+Fj9o Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 23, 2015 at 01:13PM, Roman Shaposhnik wrote: > On Wed, Dec 23, 2015 at 12:34 PM, Konstantin Boudnik wro= te: > > Guys, > > > > I've been trying to replicate our CI elsewhere and here's a couple of > > observations and proposed fixes that might do such things easier in the > > future. > > > > 1. Running build as root inside of the docker container. > > > > This seems like a real issue, especially considering that we have al= ways > > advocated to stay away from such practice. Unfortunately, adding > > -u jenkins:jenkins > > to docker run snags on a couple of points >=20 > Can you elaborate on this? After 2 days I suddenly understood what you were asking me about ;) There's not a single JIRA in my original email that is clearly connected to the sna= gs. The main issue is that running a build inside of a container (as non-root user) is in jeopardy of folder permissions, used as a volume in the the container. One way around it, as we have discussed off-line last night, is = to create effective user insides of the container dynamically. This is hack, of course, but in reality the whole docker is a chroot hack, so how much worst it could be, right? These's some potential security implications in the approach like this, but considering that we are running a pretty tight ship, controlling the CI environment, we should be fine. Cos --Fba/0zbH8Xs+Fj9o Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAlZ+HBQACgkQenyFlstYjhKAJgD+MMobElMKTWZwMYILWwgc01fv akBGcIHeZB66Oap885EBANQO/0gCvaSqT8LPtrz1QU+annJhQBXYPa6lXZVuQzB0 =CwcO -----END PGP SIGNATURE----- --Fba/0zbH8Xs+Fj9o--