Ayende @ Rahien

Refunds available at head office

How to expose an OSS build server?

I just finished setting up a build server for Rhino Tools. Ideally, I want it to be publicly accessible, and have people download the build artifacts after each build. However, CC.Net is not something that you want to just expose to the web. It has no security model (any random Joe can just start a build, hence DOS).

Any suggestions?

I should note that anything that involves significant amount of time is going to be answered with: "Great, when can you help me do that".

Comments

Rob Conery
09/17/2008 04:46 AM by
Rob Conery

JetBrains TeamCity yo! It's free and groovy...

http://blog.wekeroad.com/2008/01/27/source-control-and-continuous-integration-on-the-cheap/

Ayende Rahien
09/17/2008 04:50 AM by
Ayende Rahien

I have tried that, but I don't think it is the solution. I need a way to publish state of builds, and get their artifacts, not the CI itself.

Nick
09/17/2008 04:59 AM by
Nick

I agree TeamCity is the greatest. So easy to setup new builds, expose artifacts... Pretty much is the greatest cc build tool I have seen.

Chad Myers
09/17/2008 06:04 AM by
Chad Myers

@Ayende:

Hrm, I can't remember off the top of my head, but I think CC.NET and TeamCity both have the ability to run post-successful-build command-line scripts.

Could you just have it/them FTP the artifact to your web server somewhere?

josh
09/17/2008 06:06 AM by
josh

are you talking about the build status reports? if so, I believe there is a ccnet plugin that will output the status to an html file which can be on a web server of course. I have a ccnet server running at home and at work; and the one at work might be using that plugin. I'll check tomorrow.

Ayende Rahien
09/17/2008 06:19 AM by
Ayende Rahien

I am talking about the build report and the build artifacts.

I know I can just copy them somewhere, I am trying to see if there is a good story around that.

Ayende Rahien
09/17/2008 06:20 AM by
Ayende Rahien

The plugin name would be very welcome

Si
09/17/2008 06:28 AM by
Si

Just create 2 virtual directories:

First is CC.NET and has anonymous access disabled

Second is the build artifacts directory has anonymous access enabled

josh
09/17/2008 06:39 AM by
josh

Maybe I'm thinking of another build system.. don't find the one single plugin I thought existed. I'll check my work CI tomorrow. In the meantime. you can do it with a little XSL and ccnet features..

xsl plugin to transform xml reports by ccnet:

http://ccnet.sourceforge.net/CCNET/XSL%20Report%20Build%20Plugin.html

publish the file:

http://ccnet.sourceforge.net/CCNET/Build%20Publisher.html

some help:

http://ccnet.sourceforge.net/CCNET/index.html

josh
09/17/2008 06:40 AM by
josh

have you tried asking hammet or one of the castle guys (like you ;) how the castle build server outputs status?

http://builds.castleproject.org/cruise/index.castle

Sergey
09/17/2008 06:47 AM by
Sergey

Example of Exposed TeamCity

http://teamcity.jetbrains.com/overview.html

Patrick De Boeck
09/17/2008 07:04 AM by
Patrick De Boeck

FTP your artifacts using MSBuild to your online server, but keep the CI private

Torkel
09/17/2008 07:25 AM by
Torkel

I am also interested in this, I just configured a ccnet server on a public server and was also hit by the lack of security.

How does the castle build handle this? Also teamcity looks good, and the professional licence is free, did not know that, I will try it!

Ryan Roberts
09/17/2008 07:57 AM by
Ryan Roberts

The CI factory fork of ccnet has some minimal security built in. Hudson is another possibility that's nearly as simple to get going as teamcity.

Peter Mounce
09/17/2008 08:25 AM by
Peter Mounce

Thoughtworks Studios' Cruise.

  • 5 minutes to set up

  • XML config, but easy XML

  • Basic security model; I think you can then restrict people from DOS'ing (I haven't needed to look beyond "oh, basic security exists")

  • Publish artifacts via RESTful API

  • Split build ("pipeline") up into stages containing parallelisable jobs (decrease complexity of build scripts, at the cost of (if more than one agent being used) pushing artifacts to and from the server)

  • Free for 2 build agents

ruben Willems
09/17/2008 12:17 PM by
ruben Willems

Security is in the pipeline for ccnet,

we hope to get it in the next release 1.4.1?

somewhere in the next months.

Eric Hauser
09/17/2008 01:02 PM by
Eric Hauser

Isn't http://builds.castleproject.org/ what you are looking for? I'm not sure how the out is produced, but it is obviously based off of CC.NET.

Rinat Abdullin
09/17/2008 02:17 PM by
Rinat Abdullin
  1. You can disable starting builds from the dashboard (and use commit-line switches to let people control the builds).

  2. Dashboard can be secured completely by IIS Authentication and you can keep the XmlServerReport.aspx public to let CCTray connect in read-only mode.

  3. If you copy the artifacts and the other projects deliverables to some Distrib/[BuildLabelName] folder, just make this folder available through the FTP.

  4. Just run everything on the VM and you should close the majority of threats from script-through-SVN.

dave
09/17/2008 11:34 PM by
dave

Ditto the 2 virtual directories idea. Easy peasy.

Dave
09/18/2008 02:15 PM by
Dave

Not sure if this will be helpful (since it's also one of those "copy build artifacts" solutions), but our build automatically commits build artifacts to a SVN tag in a special repository (which can use different permissions). Since every successful build does this, we have a complete history of our build's outputs available through the standard SVN interface... Pretty easy to implement, too.

Rinat Abdullin
09/18/2008 08:08 PM by
Rinat Abdullin

Dave,

what's the point?

You still can produce exactly the same binaries on any machine, if you know the revision, cannot you?

Dave
09/19/2008 05:25 AM by
Dave

Rinat,

that's true, but this is meant for people accessing them from non-development machines. So somebody who needs a specific build doesn't have to have a development environment ready - for example, if a tester wants to reproduce a bug and determine in which version exactly was it introduced, they don't have to be able or know how to build them.

MIke
09/20/2008 03:06 AM by
MIke

I have had a great experience with Team City...no xml and a snap to access artifacts.

Jeff Brown
09/23/2008 05:08 AM by
Jeff Brown

For Gallio I just put CCNet up.

Initially I had it set so that the Force Build button was disabled, but that was too much of a pain. I figure the worst someone can do is to cause a bunch of redundant builds. Not much of a serious DOS worry because builds get queued anyways.

Then there's a virtual directory pointing at the distributables for download. This is just a raw directory listing so it's not really intended for end-users.

Rinat Abdullin
09/23/2008 10:43 AM by
Rinat Abdullin

Dave,

I see your point. But in a project with lots of commits per day ("commit early") there will be too many binary versions saved on the server. What's the point?

I normally configure integration to copy binary to "Distrib/[Version]" only on Forced Build or if there is "#Distrib" switch in the commit message

Sebastian Jancke
09/25/2008 09:03 PM by
Sebastian Jancke

Ayende,

I have been comparing a lot build / ci systems lately. CC.NET drove me crazy (ui sux, sorry) and it's hard to manage a lot of projects in a single instance (no administration in ui). Sadly, CC is so much better (on the ui), but that quality has not been ported (currently). TeamCity is really nice, but you have been talking about OSS, so read on ;-)

My suggesting would be to try Hudson. It's written in java as an extensible build and ci system. It currently supports nearly all scms one can imagine to really use, has integration for msbuild and nant, also other plugins for warnings-tracking support msbuild-output, the plugin for violations-tracking supports (among java-tools) also fxcop, stylecop and simian. You can have an nunit-report-transformation plugin out of the box. The whole project is currently really active and Sun has been putting one fulltime developer (the project initiator) on it. There are plenty of plugins for all kinds of things: building, reports, notification (mail, jabber, ...), integration for popular authentification and authorization systems (ads, ldap, ...).

The best: it has a "complete" remote api.

Developing new plugins is fairly easy (or modifing existing ones).

Usually, I'm not demanding good ui configuration, but we have to deal with lot of projects in multiple instances. Hudson has an amazing fast, good-looking ui, that gives you a lot of help and guidance, so using and configuring it is a really easy task.

-Sebastian

Comments have been closed on this topic.