ping?
On 18/04/2008, at 5:54 PM, Brett Porter wrote:
On 18/04/2008, at 12:43 AM, Carlos Sanchez wrote:
For those that haven't seen yet CONTINUUM-1731 i'm working on getting
continuum builds to run isolated from other builds and from the
original server system, and to prevent malicious builds/scripts from
doing damage or accessing other builds data in the filesystem
I'm creating a chroot jail per project group and before each build
invocation continuum will chroot there (possibly combining with user
permissions too) so what the build is going to see is a fake
filesystem shared only with the other projects in the same project
group.
Is there any way to jail one filesystem and not another? So you
could access /usr, /opt and rely on the permissions there, but
isolate the working copy (and make sure the installation cannot be
seen).
Setting up the server is quite a pita, you need a chroot directory
per
project group with copies of all the authorized programs (java,
maven,
svn,...) and the libraries used. There's going to be a maven repo for
each project group too, so the disk space used is going to grow
fairly
quickly. I think I got it mostly setup now, but it's very server
dependent. Now i'm working on executing the chroot before the build
is
called, it requires some changes in the way the working directory is
selected.
Can you elaborate on the selection of the working directory? I was
starting to play around with pulling the SCM code into it's own
module and making the checkouts a bit smarter (still thinking it
through, will post something along the lines of the previous mail I
sent about splitting the builder).
- Brett
--
I could give you my word as a Spaniard.
No good. I've known too many Spaniards.
-- The Princess Bride
--
Brett Porter
[EMAIL PROTECTED]
http://blogs.exist.com/bporter/
--
Brett Porter
[EMAIL PROTECTED]
http://blogs.exist.com/bporter/
