Conversation
This is the full command we have in Jenkins FYI, might be worth updating with some of these options:
|
@ghostbar would you like to become a contributor to the containers work? I can add you as a committer here and give you access to the containers build servers to help keep them maintained if you're up for it. See the contributors stuff in io.js although I'm not a fan of the strict git stuff so we won't be following any of that here. |
Awesome, yes @rvagg I would happily help out as a commiter helping to keep them updated |
@rvagg I would suggest copying the files with ADD and build a container image + run it, which will not consume too much time on jenkins. The reason of the suggestion is that it creates permission issues with the host volumes and you won't necessarily want the output of the Pros of creating an image per each build:
Cons of creating an image per each build:
How could this be done?:
Option 1 can handle parallel builds, Option 2 doesn't. Let me know your thoughts. |
@ghostbar unsure about using |
I was pondering this yesterday and thinking that perhaps a better option is to try and get a |
Yes, I have been checking and the issue is the permission stuff with the mounted volume. Can't we run make with |
Another solution I have seen is somehow firing the container and then with exec or something copying the files on run time. I don't know what |
adding |
I didn't want to run as root because I frankly don't trust the Docker security model yet! I don't know if their new privileged / unprivileged system is workable yet and whether it covers enough of the exposed system endpoints mounted by a container. I'm willing to go with advice from you guys from this if you feel confident enough but just keep in mind that the whole point of doing these in containers is to isolate untrusted code that comes in from pull requests so we can run any old crap someone wants to put in a PR, even if it's an |
Yeah, I think the Indeed, @rvagg, running it as a user is a good solution to avoid any zero-day exploit in the docker security model. |
I'm not a security guy, by any means. Will leave that judgement to somebody else. "Breaking out" of containers has been documented in the wild before: http://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/ |
What is the time difference between an image per build: FROM base-build-image
ADD checkout-path /internal/iojs $ docker build -t build-NN
$ docker run build-NN ... And copying the source as the first step of the run inside the container: FROM base-build-image
# assume source is mounted at /vol/src at run time
CMD [ "cp", "-a", "/opt/iojs", "/internal/iojs" ]
If the difference isn't much, the former seems easier to follow (to me, at least) and might allow for slightly easier postmortems. A refinement on that might be to put the Dockerfile in an empty directory with a |
The easiest workflow will involve having a directory with the source in it and pointing something to it and say "run this, report errors back". i.e. the current Jenkins setup follows a standard flow of a fresh git checkout for a given commit and then invoking an arbitrary command to build & test. In this case it's just a I'm not really fussed about whether it's an
Am I missing anything else? |
@rvagg, nope, that is it. I'm gonna work on the |
Merge badges PR from @wblankenship
This one is ready to go, @rvagg let me know if you're OK with it and I'll merge it; I know @wblankenship already checked it. |
Cool- I like the direction / strategy we are going here. I've been kinda waiting for the dust to settle here before I started building OS X Not sure how much of this train of thought will translate to OS X inside Virtual Box... But it nonetheless provides solid direction. |
iojs/build | ||
=== | ||
|
||
These images are used to verify pull requests against [https://github.com/iojs/io.js](https://github.com/iojs/io.js) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need to mention libuv here, the goals are the same even though the implementation is slightly different
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call. @ghostbar would you mind opening a pull request for this against another branch on this repo? Would help multiple people work on this branch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for context, the libuv folk are very diverse and it's completely separate from Node these days so there's a tiny bit of sensitivity about this build project being tied to Node / io.js and not being focused on libuv, so I'd like to make sure they know they are being looked after here and are not an afterthought
I think this will be useful for any contributor to the project.