At my dayjob we use a self hosted gitlab runner to spawn virtualbox machines that are recycled after every build. Such a linux builder in the form of a virtualbox machine boots in 8 seconds and then runs whatever it ahould run according to the project build scripts. After timeout the gitlab runner takes care of shutting down that machine and cleans up the stored differential disk. The current physical hardware allows us to run 6 build jobs in parallel. We could add more physical machines without much effort, but would eventually have to sync the virtualbox machines. Further the host running virtualbox runs sanity cronjobs that forcefully kills virtualbox machines that exceed an abnormally long runtime. Other abormal behavior could be detected with heuristics and such but we had no need to implement that so far.
All in all this works very well regarding, but not limited to, the following criteria: Disk usage Build time Disk usage overhead during build Admistrative tasks Upgrades to vbox build machines Upgrades to the physical build machine Note that we do not only build on linux, but also windows machines. Some can be considered ancient. -- Dominik Psenner On Sun, Jan 6, 2019, 16:31 Christofer Dutz <christofer.d...@c-ware.de wrote: > Well it has been for Apache committers, > > But it hasn't for non-committers. Usually the path for outsiders to submit > something and usually after a review by a committer it's run. > I guess we expect someone with commit privileges to be safe, but having > code run by ANYONE is a different topic. > > Chris > > Am 04.01.19, 15:20 schrieb "Allen Wittenauer" <a...@effectivemachines.com > .INVALID>: > > > > > On Jan 4, 2019, at 2:00 AM, Christofer Dutz < > christofer.d...@c-ware.de> wrote: > > > > Hmmm, > > > > thinking about it ... this is not quite "safe" is it? Just imagining > someone starting PRs with maven download-plugin and exec-plugin starting a > bitcoin miner or worse ... what does Infra think about this? > > Would prefer the "everyone" PR builds to run on Travis or something > that wouldn't harm the ASF. > > This is the same model the ASF has used for JIRA for a decade+. > It’s always been possible for anyone to submit anything to Jenkins and have > it get executed. Limiting PRs or patch files in JIRAs to just committers is > very anti-community. (This is why all this talk about using Jenkins for > building artifacts I find very entertaining. The infrastructure just flat > out isn’t built for it and absolutely requires disposable environments.) > > > >
