open-build-service icon indicating copy to clipboard operation
open-build-service copied to clipboard

Published 20 hours ago verified publisher icon openSUSE

[backend] Add buildhook feature

Open kvelichko-omp opened this issue 3 years ago • 3 comments

This PR should close #11027

For test in local environment:

  1. Create path buildhook: 
    mkdir buildhook
  2. Create simple buildhook script test.sh: 
    #!/bin/bash

BUILDROOT=$1
PROJID=$2
PACKID=$3
REPOID=$4
ARCH=$5
MODE=$6

exec > >(tee -a "$BUILDROOT/.build.log") 2>&1

if [ "$MODE" = "before" ]; then
  echo "Before hook executing" > $BUILDROOT/.hook.log
else
  echo "Before hook result:"
  echo "-------------------"
  cat $BUILDROOT/.hook.log
  echo "-------------------"
  echo "After hook executing"
fi
  3. Copy file src/backend/BSConfig.pm.template to src/backend/BSConfig.pm and add next lines: 
    our $buildhookpath = "/obs/buildhook";
our $beforebuildhook = {".*" => "test.sh"};
our $afterbuildhook = {".*" => "test.sh"};
  4. Start OBS 
    docker-compose up
  5. Add package and build it
  6. See build log

After Screenshot from 2021-05-23 16-07-33

kvelichko-omp avatar May 23 '21 13:05 kvelichko-omp

The hook would not be available for local or remote builds then. So anything, what is important for the build result would not be possible in such scripts.

So I wonder what is the use-case for this at all?

(And the mentioned API interface in the issue would actually be a root security hole).

adrianschroeter avatar May 25 '21 06:05 adrianschroeter

The hook would not be available for local or remote builds then. So anything, what is important for the build result would not be possible in such scripts.

Yes it is

So I wonder what is the use-case for this at all?

As I wrote in #10853:

  1. Uploading results of static code analyze to the analyzer server
  2. Calculating special checksum of sources and binaries at build time using custom program

Additionally, using this hook, I can try to solve the problem with umount https://github.com/openSUSE/obs-build/pull/630

(And the mentioned API interface in the issue would actually be a root security hole).

Hook configuration available only for system administrator.

Yes, a bad hook can disable a worker. But this is compensated by the fact that only qualified employees have the ability to set up hooks.

kvelichko-omp avatar May 25 '21 08:05 kvelichko-omp

Codecov Report

Merging #11177 (a9a47aa) into master (2bedc85) will increase coverage by 2.24%. The diff coverage is n/a.

:exclamation: Current head a9a47aa differs from pull request most recent head c4cfd08. Consider uploading reports for the commit c4cfd08 to get more accurate results

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #11177      +/-   ##
==========================================
+ Coverage   88.77%   91.02%   +2.24%     
==========================================
  Files         688      624      -64     
  Lines       23627    22322    -1305     
==========================================
- Hits        20976    20318     -658     
+ Misses       2651     2004     -647

codecov[bot] avatar Oct 05 '22 09:10 codecov[bot]