Thanks for your reply. I discovered by trial and error today what you said about using FilePath. I changed all my java.io usage to FilePath and used a MasterToSlaveFileCallable subclass to accomplish my goal. What was not intuitive to me was that my Builder code is executed on master, while the process I invoked using the launcher ran on the slave. I assumed that all the instructions of my Builder were executing on the slave. I ran into a problem when code in my Builder needed to use a java.io.File object in the Builder to reference the output file of the process I launched with the launcher, and so the java.io.File did not exist as far as the Builder was concerned. Am I interpreting what I'm seeing correctly?
Regarding what you said about secrets, I ended up passing a decrypted java.security.Key instance through a FileCallable to the slave. Would that ever be written to disk? I could alternatively look up the private key from within the FlleCallable, but I believe that would result in the Credentials plugin sending the key store password secret over the wire anyway. What should I do to maximize the security and minimize assumptions about the way my Builder is run? Thanks. Robert On Thu, Jan 5, 2017 at 3:12 PM, Jesse Glick <jgl...@cloudbees.com> wrote: > On Tue, Dec 27, 2016 at 12:54 PM, Robert St. John <restj...@gmail.com> > wrote: > > I am using the Credentials > > plugin to load a keystore from a StandardCertificateCredential, which as > I > > understand ultimately uses FilePath to load the keystore from the master > > node. > > Yes, existing Jenkins code does send secrets over the wire to agents, > if they are being used for a build run on that agent. In general this > is unavoidable; in many cases the secrets will in fact wind up on disk > on the agent for the duration of the build, or be accessible from > `/proc`. > > If you wish to protect secrets from access by other builds, you have > no choice but to ensure either that each build runs on a “one-shot” > agent running in a container/VM (the Docker cloud model); or that each > build is somehow required to run all its build steps inside a fresh > container/VM even when the agent is reused (the Docker Pipeline model, > with restricted scripts). > > And yes you must use `FilePath` for all file operations relating to > workspaces. You can use `act` to perform a chunk of work remotely in > the interests of efficiency. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Jenkins Developers" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/jenkinsci-dev/xdyw9Jo4Fug/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/jenkinsci-dev/CANfRfr3gqj2OuSNdKeH5MNRrhACFpyLi-N5%2BLBHMeNdvj272rQ% > 40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEoDabuM2X6JnJh42LJfrv%2B55RzqOE%2B2U-4EMEW32GtXPVciJw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
