continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <>
Subject Re: Running continuum builds in a isolated environment
Date Fri, 18 Apr 2008 09:54:02 GMT

On 18/04/2008, at 12:43 AM, Carlos Sanchez wrote:

> For those that haven't seen yet CONTINUUM-1731 i'm working on getting
> continuum builds to run isolated from other builds and from the
> original server system, and to prevent malicious builds/scripts from
> doing damage or accessing other builds data in the filesystem
> I'm creating a chroot jail per project group and before each build
> invocation continuum will chroot there (possibly combining with user
> permissions too) so what the build is going to see is a fake
> filesystem shared only with the other projects in the same project
> group.

Is there any way to jail one filesystem and not another? So you could  
access /usr, /opt and rely on the permissions there, but isolate the  
working copy (and make sure the installation cannot be seen).

> Setting up the server is quite a pita, you need a chroot directory per
> project group with copies of all the authorized programs (java, maven,
> svn,...) and the libraries used. There's going to be a maven repo for
> each project group too, so the disk space used is going to grow fairly
> quickly. I think I got it mostly setup now, but it's very server
> dependent. Now i'm working on executing the chroot before the build is
> called, it requires some changes in the way the working directory is
> selected.

Can you elaborate on the selection of the working directory? I was  
starting to play around with pulling the SCM code into it's own module  
and making the checkouts a bit smarter (still thinking it through,  
will post something along the lines of the previous mail I sent about  
splitting the builder).

- Brett

> -- 
> I could give you my word as a Spaniard.
> No good. I've known too many Spaniards.
> -- The Princess Bride

Brett Porter

View raw message