Running agents as non-root

Answered

I have changed all my linux agents to run as non-root to prevent mistakes such as "rm -rf $(UNDEFINED_VAR)/$(UNDEFINED_VAR2)".

Running the agents work like a charm BUT I still have some things I need to do as root. Not a problem, I sudo that and add my build agent account as a passwordless sudoer.

However, some files are due to this and some other reasons owned by root when the build is done (essentially I install a new linux in a subdir and chroot into it and then do the build). Now there are problems.

When Teamcity starts a new build it has a number of cases where it wants to do a git clean. This does not work when the process is non-root and the files are root-owned.

Is there any way to modify that behaviour? If teamcity did "sudo git clean ..." I'd be fine.

The other option is to always make a clean build, but that mainly postpones the problem until the work/.old directory needs cleaning in addition to increasing build times a lot.

What is the recommended strategy? Always run as root and hope for no bad mistakes in makefiles? Add the build agent account to the root group? Modify the cleanup script? 

5 comments

Hello Jesper,

You can try RunAs plugin provides an ability to run builds under the specified user account. Will it work for you?

0

Yes, it seems to be able to fix at least some of the issues. It's a bit unclear how it will affect my system, and I understand it is not an official jetbrains product, but my understanding is that

  • I need to install an IDE and compile it on the teamcity server. It doesn't even have an X client so that might be an issue.
  • If I don't set the teamcity.build.runAs.command property on the agent everything will work as before. No need to tweak all configurations

I'll investigate some and give it a try. Thanks.

0

Hi,

The plugin is provided by JetBrains. You can download the latest plugin version using this link.

0

Thanks. It seems to be the way to go. Is there any better documentation than https://github.com/pavelsher/runas?

* I am confused about the last parameter - the actual script to run. Where does it come from? Is "{start_build_script}" a token that is automatically replaced with the appropriate filename?

* It is not immediately obvious whether agents will continue to behave as before if the "teamcity.build.runAs.command" is not set. Will they?

0

Hello Jesper,

No, unfortunately we do not have better documentation for the plugin.

  • "{start_build_script}" is generated automatically, you should not replace it with any value.
  • Yes, if "teamcity.build.runAs.command" is not specified the agent will behaves as before.
0

Please sign in to leave a comment.