continuum-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From car...@apache.org
Subject svn commit: r663792 - in /continuum/trunk: continuum-core/src/main/java/org/apache/maven/continuum/execution/ continuum-docs/src/site/ continuum-docs/src/site/apt/administrator_guides/ continuum-webapp/src/main/webapp/WEB-INF/
Date Fri, 06 Jun 2008 00:17:24 GMT
Author: carlos
Date: Thu Jun  5 17:17:18 2008
New Revision: 663792

URL: http://svn.apache.org/viewvc?rev=663792&view=rev
Log:
[CONTINUUM-1731] Add docs for chroot jail feature

Added:
    continuum/trunk/continuum-docs/src/site/apt/administrator_guides/chroot.apt   (with props)
Modified:
    continuum/trunk/continuum-core/src/main/java/org/apache/maven/continuum/execution/AbstractBuildExecutor.java
    continuum/trunk/continuum-docs/src/site/site.xml
    continuum/trunk/continuum-webapp/src/main/webapp/WEB-INF/applicationContext.xml

Modified: continuum/trunk/continuum-core/src/main/java/org/apache/maven/continuum/execution/AbstractBuildExecutor.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-core/src/main/java/org/apache/maven/continuum/execution/AbstractBuildExecutor.java?rev=663792&r1=663791&r2=663792&view=diff
==============================================================================
--- continuum/trunk/continuum-core/src/main/java/org/apache/maven/continuum/execution/AbstractBuildExecutor.java
(original)
+++ continuum/trunk/continuum-core/src/main/java/org/apache/maven/continuum/execution/AbstractBuildExecutor.java
Thu Jun  5 17:17:18 2008
@@ -255,6 +255,9 @@
             {
                 StringBuilder sb = new StringBuilder();
                 sb.append( CHROOT_EXECUTABLE );
+                // TODO see CONTINUUM-1731
+                //sb.append( "su" );
+                //sb.append( username );
                 sb.append( " " );
                 sb.append( new File( chrootJailDirectory, project.getGroupId() ) );
                 sb.append( " " );

Added: continuum/trunk/continuum-docs/src/site/apt/administrator_guides/chroot.apt
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-docs/src/site/apt/administrator_guides/chroot.apt?rev=663792&view=auto
==============================================================================
--- continuum/trunk/continuum-docs/src/site/apt/administrator_guides/chroot.apt (added)
+++ continuum/trunk/continuum-docs/src/site/apt/administrator_guides/chroot.apt Thu Jun  5
17:17:18 2008
@@ -0,0 +1,90 @@
+ ------
+ Running builds in a chroot jail
+ ------
+ Carlos Sanchez
+ ------
+ June 5 2008
+ ------
+
+Running builds in chroot jail
+
+ Feature not yet finished! See {{{http://jira.codehaus.org/browse/CONTINUUM-1731}CONTINUUM-1731}}
+
+ You could make continuum run the builds in each project group in a separate chroot jail
so they don't interfere with each other
+ for security and stability issues. It requires a fair amount of work to setup the system.
+
+ There are still some security concerns. The user could escape the chroot jail.
+
+
+Creating a chroot jail
+
+ Installed {{{http://olivier.sessink.nl/jailkit/jailkit-2.5.tar.bz2}jailkit}}
+ ( {{{http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html}howto}} )
+
+ Add chroot to /etc/sudoers and comment out requiretty
+
++----------------------------+
+ jetty ALL=NOPASSWD:/usr/sbin/chroot
++----------------------------+
+
+
+  Add /usr/sbin to the PATH in /home/jetty/.bash_profile
+
+Create the jail
+
++----------------------------+
+export JAIL=/home/jail/org.apache.continuum
+jk_init -v -j $JAIL basicshell netbasics
+jk_cp -j $JAIL /bin/uname
+jk_cp -j $JAIL /usr/bin/expr
+jk_cp -j $JAIL /usr/bin/dirname
+jk_cp -j $JAIL /usr/bin/which
+jk_cp -j $JAIL /bin/env
+jk_cp -j $JAIL /bin/su
+ 
+cd $JAIL
+
+# devices
+mkdir proc
+mount -t proc /proc proc
+mkdir dev
+mknod dev/null c 1 3
+mknod dev/zero c 1 5
+chmod a=rw dev/null dev/zero
+
+# Java
+cp -r /usr/java usr
+ln -s /usr/java/default/bin/java bin/
+ln -s /usr/java/default/bin/javac bin/
+cd lib
+for f in `find /usr/java/default/jre/lib/i386 -maxdepth 1 -iname "*.so*"`; do ln -s $f ;
done
+ln -s /usr/java/default/jre/lib/i386/jli/libjli.so
+ln -s /usr/java/default/jre/lib/i386
+cp /lib/libm.so.6  .
+
+# Maven
+mkdir -p usr/share
+cp -r /usr/share/apache-maven-2.0.9 usr/share
+ln -s /usr/share/apache-maven-2.0.9/bin/mvn bin/mvn
+
+sudo /usr/sbin/chroot $JAIL /bin/bash
+
+# env
+export M2_HOME=/usr/share/apache-maven-2.0.9
+export JAVA_HOME=/usr/java/default
+
++----------------------------+
+
+
+Configuring continuum webapp
+
+  Uncomment the following lines in WEB-INF/applicationContext.xml
+
++----------------------------+
+  <!-- to run builds in a chroot jail environment
+       note this is not secure yet, see http://jira.codehaus.org/browse/CONTINUUM-1731 
+  <bean name="chrootJailDirectory" class="java.io.File">
+    <constructor-arg value="/home/jail"/>
+  </bean>
+  <bean id="workingDirectoryService" class="org.apache.maven.continuum.utils.ChrootJailWorkingDirectoryService"
autowire="byName"/>
++----------------------------+

Propchange: continuum/trunk/continuum-docs/src/site/apt/administrator_guides/chroot.apt
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: continuum/trunk/continuum-docs/src/site/apt/administrator_guides/chroot.apt
------------------------------------------------------------------------------
    svn:keywords = "Author Date Id Revision"

Modified: continuum/trunk/continuum-docs/src/site/site.xml
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-docs/src/site/site.xml?rev=663792&r1=663791&r2=663792&view=diff
==============================================================================
--- continuum/trunk/continuum-docs/src/site/site.xml (original)
+++ continuum/trunk/continuum-docs/src/site/site.xml Thu Jun  5 17:17:18 2008
@@ -120,6 +120,7 @@
         <item name="Build Definition Template" href="documentation/1_1/administrator_guides/builddefTemplate.html"/>
         <item name="Shutdown Continuum" href="documentation/1_1/administrator_guides/shutdown.html"/>
         <item name="Managing Queues" href="documentation/1_1/administrator_guides/queues.html"/>

+        <item name="Running builds in chroot jail" href="documentation/1_1/administrator_guides/chroot.html"/>
       </item>
       <item name="Developer's Guides" href="documentation/1_1/developer_guides/index.html"
collapse="true">
         <!-- item name="SVN repository structure" href="documentation/1_1/developer_guides/svn.html"/
-->

Modified: continuum/trunk/continuum-webapp/src/main/webapp/WEB-INF/applicationContext.xml
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/webapp/WEB-INF/applicationContext.xml?rev=663792&r1=663791&r2=663792&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/webapp/WEB-INF/applicationContext.xml (original)
+++ continuum/trunk/continuum-webapp/src/main/webapp/WEB-INF/applicationContext.xml Thu Jun
 5 17:17:18 2008
@@ -25,6 +25,7 @@
   </bean>
 
   <!-- to run builds in a chroot jail environment
+       note this is not secure yet, see http://jira.codehaus.org/browse/CONTINUUM-1731 
   <bean name="chrootJailDirectory" class="java.io.File">
     <constructor-arg value="/home/jail"/>
   </bean>



Mime
View raw message