Ayende @ Rahien

My name is Oren Eini
Founder of Hibernating Rhinos LTD and RavenDB.
You can reach me by phone or email:


+972 52-548-6969

, @ Q c

Posts: 6,026 | Comments: 44,844

filter by tags archive

How to expose an OSS build server?

time to read 1 min | 89 words

I just finished setting up a build server for Rhino Tools. Ideally, I want it to be publicly accessible, and have people download the build artifacts after each build. However, CC.Net is not something that you want to just expose to the web. It has no security model (any random Joe can just start a build, hence DOS).

Any suggestions?

I should note that anything that involves significant amount of time is going to be answered with: "Great, when can you help me do that".


Rob Conery

JetBrains TeamCity yo! It's free and groovy...


Ayende Rahien

I have tried that, but I don't think it is the solution. I need a way to publish state of builds, and get their artifacts, not the CI itself.


I agree TeamCity is the greatest. So easy to setup new builds, expose artifacts... Pretty much is the greatest cc build tool I have seen.

Chad Myers


Hrm, I can't remember off the top of my head, but I think CC.NET and TeamCity both have the ability to run post-successful-build command-line scripts.

Could you just have it/them FTP the artifact to your web server somewhere?


are you talking about the build status reports? if so, I believe there is a ccnet plugin that will output the status to an html file which can be on a web server of course. I have a ccnet server running at home and at work; and the one at work might be using that plugin. I'll check tomorrow.

Ayende Rahien

I am talking about the build report and the build artifacts.

I know I can just copy them somewhere, I am trying to see if there is a good story around that.

Ayende Rahien

The plugin name would be very welcome


Just create 2 virtual directories:

First is CC.NET and has anonymous access disabled

Second is the build artifacts directory has anonymous access enabled


Maybe I'm thinking of another build system.. don't find the one single plugin I thought existed. I'll check my work CI tomorrow. In the meantime. you can do it with a little XSL and ccnet features..

xsl plugin to transform xml reports by ccnet:


publish the file:


some help:



have you tried asking hammet or one of the castle guys (like you ;) how the castle build server outputs status?



Example of Exposed TeamCity


Patrick De Boeck

FTP your artifacts using MSBuild to your online server, but keep the CI private


I am also interested in this, I just configured a ccnet server on a public server and was also hit by the lack of security.

How does the castle build handle this? Also teamcity looks good, and the professional licence is free, did not know that, I will try it!

Ryan Roberts

The CI factory fork of ccnet has some minimal security built in. Hudson is another possibility that's nearly as simple to get going as teamcity.

Peter Mounce

Thoughtworks Studios' Cruise.

  • 5 minutes to set up

  • XML config, but easy XML

  • Basic security model; I think you can then restrict people from DOS'ing (I haven't needed to look beyond "oh, basic security exists")

  • Publish artifacts via RESTful API

  • Split build ("pipeline") up into stages containing parallelisable jobs (decrease complexity of build scripts, at the cost of (if more than one agent being used) pushing artifacts to and from the server)

  • Free for 2 build agents

ruben Willems

Security is in the pipeline for ccnet,

we hope to get it in the next release 1.4.1?

somewhere in the next months.

Eric Hauser

Isn't http://builds.castleproject.org/ what you are looking for? I'm not sure how the out is produced, but it is obviously based off of CC.NET.

Rinat Abdullin
  1. You can disable starting builds from the dashboard (and use commit-line switches to let people control the builds).

  2. Dashboard can be secured completely by IIS Authentication and you can keep the XmlServerReport.aspx public to let CCTray connect in read-only mode.

  3. If you copy the artifacts and the other projects deliverables to some Distrib/[BuildLabelName] folder, just make this folder available through the FTP.

  4. Just run everything on the VM and you should close the majority of threats from script-through-SVN.


Ditto the 2 virtual directories idea. Easy peasy.


Not sure if this will be helpful (since it's also one of those "copy build artifacts" solutions), but our build automatically commits build artifacts to a SVN tag in a special repository (which can use different permissions). Since every successful build does this, we have a complete history of our build's outputs available through the standard SVN interface... Pretty easy to implement, too.

Rinat Abdullin


what's the point?

You still can produce exactly the same binaries on any machine, if you know the revision, cannot you?



that's true, but this is meant for people accessing them from non-development machines. So somebody who needs a specific build doesn't have to have a development environment ready - for example, if a tester wants to reproduce a bug and determine in which version exactly was it introduced, they don't have to be able or know how to build them.


I have had a great experience with Team City...no xml and a snap to access artifacts.

Jeff Brown

For Gallio I just put CCNet up.

Initially I had it set so that the Force Build button was disabled, but that was too much of a pain. I figure the worst someone can do is to cause a bunch of redundant builds. Not much of a serious DOS worry because builds get queued anyways.

Then there's a virtual directory pointing at the distributables for download. This is just a raw directory listing so it's not really intended for end-users.

Rinat Abdullin


I see your point. But in a project with lots of commits per day ("commit early") there will be too many binary versions saved on the server. What's the point?

I normally configure integration to copy binary to "Distrib/[Version]" only on Forced Build or if there is "#Distrib" switch in the commit message

Sebastian Jancke


I have been comparing a lot build / ci systems lately. CC.NET drove me crazy (ui sux, sorry) and it's hard to manage a lot of projects in a single instance (no administration in ui). Sadly, CC is so much better (on the ui), but that quality has not been ported (currently). TeamCity is really nice, but you have been talking about OSS, so read on ;-)

My suggesting would be to try Hudson. It's written in java as an extensible build and ci system. It currently supports nearly all scms one can imagine to really use, has integration for msbuild and nant, also other plugins for warnings-tracking support msbuild-output, the plugin for violations-tracking supports (among java-tools) also fxcop, stylecop and simian. You can have an nunit-report-transformation plugin out of the box. The whole project is currently really active and Sun has been putting one fulltime developer (the project initiator) on it. There are plenty of plugins for all kinds of things: building, reports, notification (mail, jabber, ...), integration for popular authentification and authorization systems (ads, ldap, ...).

The best: it has a "complete" remote api.

Developing new plugins is fairly easy (or modifing existing ones).

Usually, I'm not demanding good ui configuration, but we have to deal with lot of projects in multiple instances. Hudson has an amazing fast, good-looking ui, that gives you a lot of help and guidance, so using and configuring it is a really easy task.


Comment preview

Comments have been closed on this topic.


No future posts left, oh my!


  1. Technical observations from my wife (3):
    13 Nov 2015 - Production issues
  2. Production postmortem (13):
    13 Nov 2015 - The case of the “it is slow on that machine (only)”
  3. Speaking (5):
    09 Nov 2015 - Community talk in Kiev, Ukraine–What does it take to be a good developer
  4. Find the bug (5):
    11 Sep 2015 - The concurrent memory buster
  5. Buffer allocation strategies (3):
    09 Sep 2015 - Bad usage patterns
View all series


Main feed Feed Stats
Comments feed   Comments Feed Stats