[CI] Security
Locked
 
|
A friend of a friend passed along a valid concern today: Hudson/Jenkins can run arbitrary shell commands.
People all over the place are running public Hudson servers, so I don't think this is necessarily of *great* concern, I mean we can probably just run it in a chroot jail and call it golden. That said, while I've set up several different CI solutions for internal use by software teams, it was always behind a corporate firewall. This will be my first world-facing adventure with continuous integration. I think this is worth talking about. Does anyone here have any experience to share that we can potentially learn from? |
|
|
On 23 June 2011 23:19, Casey Ransberger <[hidden email]> wrote:
> A friend of a friend passed along a valid concern today: Hudson/Jenkins can run arbitrary shell commands. > > People all over the place are running public Hudson servers, so I don't think this is necessarily of *great* concern, I mean we can probably just run it in a chroot jail and call it golden. > > That said, while I've set up several different CI solutions for internal use by software teams, it was always behind a corporate firewall. This will be my first world-facing adventure with continuous integration. > > I think this is worth talking about. Does anyone here have any experience to share that we can potentially learn from? I suppose we have to ask what we want out of the CI - do we want pretty web pages with red and blue icons? Would a simple mail on a breaking build be sufficient for our needs? (Or a mail for a successful one: noisier, but allows one to distinguish between a working build and a dead CI server.) If that's all that's needed, then I suspect one could do something like run the Hudson installation on a local port, and have people use ssh forwarding: ssh -L 8000:foo.bar.com:9090 [hidden email] and then you can go to http://localhost:8000/. Not undoably bad for the CI admin. If we want to serve up "this is how things are going" on a web page, I _guess_ we could do that with Apache RewriteRule-fu. Anyone clued up on that? frank |
|
|
In reply to this post by Casey Ransberger-2
On 23/06/11 6:19 PM, Casey Ransberger wrote:
> A friend of a friend passed along a valid concern today: Hudson/Jenkins can run arbitrary shell commands. Yes, the configuration of a Hudson/Jenkins job allows shell commands. But, changing the job configuration normally requires a user login. To monitor build status and download build artifacts from the server, does NOT require any login. |
|
|
In reply to this post by Frank Shearar-3
On 24/06/11 8:17 AM, Frank Shearar wrote:
> > I suppose we have to ask what we want out of the CI - do we want > pretty web pages with red and blue icons? Would a simple mail on a > breaking build be sufficient for our needs? (Or a mail for a > successful one: noisier, but allows one to distinguish between a > working build and a dead CI server.) People can get an RSS feed for all builds, failed builds, etc. > If that's all that's needed, then I suspect one could do something > like run the Hudson installation on a local port, and have people use > ssh forwarding: ssh -L 8000:foo.bar.com:9090 [hidden email] and then > you can go to http://localhost:8000/. I don't understand why this is needed. > Not undoably bad for the CI admin. If we want to serve up "this is how > things are going" on a web page, I _guess_ we could do that with > Apache RewriteRule-fu. Anyone clued up on that? I don't understand why any web page development is needed. Hudson/Jenkins has a web UI already. Just open up a firewall portno for whichever portno it's listening on. However, a nicer configuration would be to set "ci.squeak.org" to redirect to localhost:8080 (or whatever portno it's set to use). |
|
|
On 24 June 2011 19:50, Yanni Chiu <[hidden email]> wrote:
> On 24/06/11 8:17 AM, Frank Shearar wrote: >> >> I suppose we have to ask what we want out of the CI - do we want >> pretty web pages with red and blue icons? Would a simple mail on a >> breaking build be sufficient for our needs? (Or a mail for a >> successful one: noisier, but allows one to distinguish between a >> working build and a dead CI server.) > > People can get an RSS feed for all builds, failed builds, etc. > >> If that's all that's needed, then I suspect one could do something >> like run the Hudson installation on a local port, and have people use >> ssh forwarding: ssh -L 8000:foo.bar.com:9090 [hidden email] and then >> you can go to http://localhost:8000/. > > I don't understand why this is needed. Because then you're relying on ssh keys to authenticate a user, not some flakey userland authentication scheme. And because then those with shell access can use the web UI without exposing Hudson to attack. Also, because the owner of the server on my jail won't permit an exposed Hudson, precisely because of the kinds of things Hudson can do. >> Not undoably bad for the CI admin. If we want to serve up "this is how >> things are going" on a web page, I _guess_ we could do that with >> Apache RewriteRule-fu. Anyone clued up on that? > > I don't understand why any web page development is needed. Hudson/Jenkins > has a web UI already. Just open up a firewall portno for whichever portno > it's listening on. I'm not talking about web page development. I'm talking about selectively exposing read-only status pages. > However, a nicer configuration would be to set "ci.squeak.org" to redirect > to localhost:8080 (or whatever portno it's set to use). That's not a bad idea! frank |
|
|
Are there any news about setting up CI?
--Hannes On 6/24/11, Frank Shearar <[hidden email]> wrote: > On 24 June 2011 19:50, Yanni Chiu <[hidden email]> wrote: >> On 24/06/11 8:17 AM, Frank Shearar wrote: >>> >>> I suppose we have to ask what we want out of the CI - do we want >>> pretty web pages with red and blue icons? Would a simple mail on a >>> breaking build be sufficient for our needs? (Or a mail for a >>> successful one: noisier, but allows one to distinguish between a >>> working build and a dead CI server.) >> >> People can get an RSS feed for all builds, failed builds, etc. >> >>> If that's all that's needed, then I suspect one could do something >>> like run the Hudson installation on a local port, and have people use >>> ssh forwarding: ssh -L 8000:foo.bar.com:9090 [hidden email] and then >>> you can go to http://localhost:8000/. >> >> I don't understand why this is needed. > > Because then you're relying on ssh keys to authenticate a user, not > some flakey userland authentication scheme. And because then those > with shell access can use the web UI without exposing Hudson to > attack. > > Also, because the owner of the server on my jail won't permit an > exposed Hudson, precisely because of the kinds of things Hudson can > do. > >>> Not undoably bad for the CI admin. If we want to serve up "this is how >>> things are going" on a web page, I _guess_ we could do that with >>> Apache RewriteRule-fu. Anyone clued up on that? >> >> I don't understand why any web page development is needed. Hudson/Jenkins >> has a web UI already. Just open up a firewall portno for whichever portno >> it's listening on. > > I'm not talking about web page development. I'm talking about > selectively exposing read-only status pages. > >> However, a nicer configuration would be to set "ci.squeak.org" to redirect >> to localhost:8080 (or whatever portno it's set to use). > > That's not a bad idea! > > frank > > |
«
Return to Squeak - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |