On Wed, Dec 23, 2015 at 01:13PM, Roman Shaposhnik wrote: > On Wed, Dec 23, 2015 at 12:34 PM, Konstantin Boudnik <[email protected]> wrote: > > Guys, > > > > I've been trying to replicate our CI elsewhere and here's a couple of > > observations and proposed fixes that might do such things easier in the > > future. > > > > 1. Running build as root inside of the docker container. > > > > This seems like a real issue, especially considering that we have always > > advocated to stay away from such practice. Unfortunately, adding > > -u jenkins:jenkins > > to docker run snags on a couple of points > > Can you elaborate on this?
After 2 days I suddenly understood what you were asking me about ;) There's not a single JIRA in my original email that is clearly connected to the snags. The main issue is that running a build inside of a container (as non-root user) is in jeopardy of folder permissions, used as a volume in the the container. One way around it, as we have discussed off-line last night, is to create effective user insides of the container dynamically. This is hack, of course, but in reality the whole docker is a chroot hack, so how much worst it could be, right? These's some potential security implications in the approach like this, but considering that we are running a pretty tight ship, controlling the CI environment, we should be fine. Cos
signature.asc
Description: Digital signature
