Running agents as non-root
I have changed all my linux agents to run as non-root to prevent mistakes such as "rm -rf $(UNDEFINED_VAR)/$(UNDEFINED_VAR2)".
Running the agents work like a charm BUT I still have some things I need to do as root. Not a problem, I sudo that and add my build agent account as a passwordless sudoer.
However, some files are due to this and some other reasons owned by root when the build is done (essentially I install a new linux in a subdir and chroot into it and then do the build). Now there are problems.
When Teamcity starts a new build it has a number of cases where it wants to do a git clean. This does not work when the process is non-root and the files are root-owned.
Is there any way to modify that behaviour? If teamcity did "sudo git clean ..." I'd be fine.
The other option is to always make a clean build, but that mainly postpones the problem until the work/.old directory needs cleaning in addition to increasing build times a lot.
What is the recommended strategy? Always run as root and hope for no bad mistakes in makefiles? Add the build agent account to the root group? Modify the cleanup script?
Please sign in to leave a comment.
Hello Jesper,
You can try RunAs plugin provides an ability to run builds under the specified user account. Will it work for you?
Yes, it seems to be able to fix at least some of the issues. It's a bit unclear how it will affect my system, and I understand it is not an official jetbrains product, but my understanding is that
I'll investigate some and give it a try. Thanks.
Hi,
The plugin is provided by JetBrains. You can download the latest plugin version using this link.
Thanks. It seems to be the way to go. Is there any better documentation than https://github.com/pavelsher/runas?
* I am confused about the last parameter - the actual script to run. Where does it come from? Is "{start_build_script}" a token that is automatically replaced with the appropriate filename?
* It is not immediately obvious whether agents will continue to behave as before if the "teamcity.build.runAs.command" is not set. Will they?
Hello Jesper,
No, unfortunately we do not have better documentation for the plugin.