continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <br...@apache.org>
Subject Re: Running continuum builds in a isolated environment
Date Sun, 27 Apr 2008 07:00:54 GMT
ping?

On 18/04/2008, at 5:54 PM, Brett Porter wrote:

>
> On 18/04/2008, at 12:43 AM, Carlos Sanchez wrote:
>
>> For those that haven't seen yet CONTINUUM-1731 i'm working on getting
>> continuum builds to run isolated from other builds and from the
>> original server system, and to prevent malicious builds/scripts from
>> doing damage or accessing other builds data in the filesystem
>>
>> I'm creating a chroot jail per project group and before each build
>> invocation continuum will chroot there (possibly combining with user
>> permissions too) so what the build is going to see is a fake
>> filesystem shared only with the other projects in the same project
>> group.
>
> Is there any way to jail one filesystem and not another? So you  
> could access /usr, /opt and rely on the permissions there, but  
> isolate the working copy (and make sure the installation cannot be  
> seen).
>
>>
>>
>> Setting up the server is quite a pita, you need a chroot directory  
>> per
>> project group with copies of all the authorized programs (java,  
>> maven,
>> svn,...) and the libraries used. There's going to be a maven repo for
>> each project group too, so the disk space used is going to grow  
>> fairly
>> quickly. I think I got it mostly setup now, but it's very server
>> dependent. Now i'm working on executing the chroot before the build  
>> is
>> called, it requires some changes in the way the working directory is
>> selected.
>
> Can you elaborate on the selection of the working directory? I was  
> starting to play around with pulling the SCM code into it's own  
> module and making the checkouts a bit smarter (still thinking it  
> through, will post something along the lines of the previous mail I  
> sent about splitting the builder).
>
> - Brett
>
>>
>>
>>
>>
>> -- 
>> I could give you my word as a Spaniard.
>> No good. I've known too many Spaniards.
>> -- The Princess Bride
>
> --
> Brett Porter
> brett@apache.org
> http://blogs.exist.com/bporter/
>

--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/


Mime
View raw message