------
 Running builds in a chroot jail
 ------
 Carlos Sanchez
 ------
 June 5 2008
 ------

~~ Licensed to the Apache Software Foundation (ASF) under one
~~ or more contributor license agreements.  See the NOTICE file
~~ distributed with this work for additional information
~~ regarding copyright ownership.  The ASF licenses this file
~~ to you under the Apache License, Version 2.0 (the
~~ "License"); you may not use this file except in compliance
~~ with the License.  You may obtain a copy of the License at
~~
~~   http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing,
~~ software distributed under the License is distributed on an
~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~~ KIND, either express or implied.  See the License for the
~~ specific language governing permissions and limitations
~~ under the License.

Running builds in chroot jail

 Feature not yet finished! See {{{http://jira.codehaus.org/browse/CONTINUUM-1731}CONTINUUM-1731}}

 You could make continuum run the builds in each project group in a separate chroot jail so they don't interfere with each other
 for security and stability issues. It requires a fair amount of work to setup the system.

 There are still some security concerns. The user could escape the chroot jail.


Creating a chroot jail

 Installed {{{http://olivier.sessink.nl/jailkit/jailkit-2.5.tar.bz2}jailkit}}
 ( {{{http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html}howto}} )

 Add chroot to /etc/sudoers and comment out requiretty

+----------------------------+
 jetty ALL=NOPASSWD:/usr/sbin/chroot
+----------------------------+


  Add /usr/sbin to the PATH in /home/jetty/.bash_profile

Create the jail

+----------------------------+
export JAIL=/home/jail/org.apache.continuum
jk_init -v -j $JAIL basicshell netbasics
jk_cp -j $JAIL /bin/uname
jk_cp -j $JAIL /usr/bin/expr
jk_cp -j $JAIL /usr/bin/dirname
jk_cp -j $JAIL /usr/bin/which
jk_cp -j $JAIL /bin/env
jk_cp -j $JAIL /bin/su
 
cd $JAIL

# devices
mkdir proc
mount -t proc /proc proc
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod a=rw dev/null dev/zero

# Java
cp -r /usr/java usr
ln -s /usr/java/default/bin/java bin/
ln -s /usr/java/default/bin/javac bin/
cd lib
for f in `find /usr/java/default/jre/lib/i386 -maxdepth 1 -iname "*.so*"`; do ln -s $f ; done
ln -s /usr/java/default/jre/lib/i386/jli/libjli.so
ln -s /usr/java/default/jre/lib/i386
cp /lib/libm.so.6  .

# Maven
mkdir -p usr/share
cp -r /usr/share/apache-maven-2.0.9 usr/share
ln -s /usr/share/apache-maven-2.0.9/bin/mvn bin/mvn

sudo /usr/sbin/chroot $JAIL /bin/bash

# env
export M2_HOME=/usr/share/apache-maven-2.0.9
export JAVA_HOME=/usr/java/default

+----------------------------+


Configuring continuum webapp

  Uncomment the following lines in WEB-INF/applicationContext.xml

+----------------------------+
  <!-- to run builds in a chroot jail environment
       note this is not secure yet, see http://jira.codehaus.org/browse/CONTINUUM-1731 
  <bean name="chrootJailDirectory" class="java.io.File">
    <constructor-arg value="/home/jail"/>
  </bean>
  <bean id="workingDirectoryService" class="org.apache.maven.continuum.utils.ChrootJailWorkingDirectoryService" autowire="byName"/>
+----------------------------+