jenkins-autoarmor's Introduction

AutoArmor

AutoArmor is a Jenkins plugin to isolate Jenkins jobs from each other and from the system using AppArmor.

Installation

Build the plugin using Maven, and install it on the Jenkins master.
Then on all the Jenkins slaves that you want to protect:

Install AppArmor,
Build the autoarmor-genprof and autoarmor-wrapper helpers using CMake
Install both tools in the system PATH, and set the autoarmor-genprof helper setuid-root

And finally in the Jenkins master's system configuration set the AppArmor mode to Enforce to start using AppArmor.

AppArmor profile configuration

autoarmor-genprof will generate AppArmor profiles on the fly for new Jenkins jobs, but the profiles can be edited manually. Once a profile exists, autoarmor-genprof will not overwrite it. The default profile is embedded in autoarmor-genprof.

All the profiles can be found in /etc/apparmor.d/autoarmor/.

jenkins-autoarmor's People

Contributors

Stargazers

Watchers

jenkins-autoarmor's Issues

Prevents Jenkins from auto-creating workspace directory on a clean build slave

When adding a new node in Jenkins, you have to specify the root path. The workspace directory is then located at /root-path/workspace.

The issue is that on a cleanly built slave with no apparmor plugin installed, Jenkins will create the /root-path/workspace itself, but with this plugin installed, Jenkins will fail to create the /root-path/workspace and any job running would fail with the following error

Started by user <USERNAME>
Autoarmor: Loading AppArmor profile for workspace /root-path/workspace/<JOB_NAME>
FATAL: Autoarmor: Failed to load AppArmor profile, cancelling build.
java.lang.RuntimeException: Autoarmor: Failed to load AppArmor profile, cancelling build.
    at chat.tox.jenkins.autoarmor.AutoarmorLauncherDecorator.decorate(AutoarmorLauncherDecorator.java:109)
    at hudson.Launcher.decorateFor(Launcher.java:694)
    at hudson.model.Slave.createLauncher(Slave.java:387)
    at hudson.model.AbstractBuild$AbstractBuildExecution.createLauncher(AbstractBuild.java:561)
    at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:492)
    at hudson.model.Run.execute(Run.java:1738)
    at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
    at hudson.model.ResourceController.execute(ResourceController.java:98)
    at hudson.model.Executor.run(Executor.java:410)
Finished: FAILURE

With the plugin enabled, Jenkins successfully creates /root-path, but doesn't create workspace in it. I think the plugin fails with the above error because it gives genprof job path /root-path/workspace/<JOB_NAME>, which doesn't exist because workspace directory wasn't auto-created by Jenkins. Disabling the plugin in Jenkins settings fixes the issue, Jenkins becomes able to create workspace directory and the job succeeds. Once the workspace directory is created, all consecutive jobs succeed too.

The current workaround I use is to mkdir -p /root-path/workspace, instead of relying on Jenkins to create it.

Recommended method to grant specific permission to a certain job

The antox build jobs would need access to the android key store for signing. Is it recommended to grant those in their apparmour config files?

is there any way to pattern match on job name in the genprof?

Recommend Projects

tux3 / jenkins-autoarmor Goto Github PK

jenkins-autoarmor's Introduction

AutoArmor

Installation

AppArmor profile configuration

jenkins-autoarmor's People

Contributors

Stargazers

Watchers

Forkers

jenkins-autoarmor's Issues

Prevents Jenkins from auto-creating workspace directory on a clean build slave

Recommended method to grant specific permission to a certain job

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent