Running the application safely
mvoCI is a continuous-integration server and therefore does not limit what is executed. Running the application with the wrong privileges may result in compromised machines, loss of data or maybe even broken hardware.
This wiki article seeks to identify possible loopholes to be aware of, when running mvoCI on your own hardware.
SystemD allows for chrooting an application and running it with its own user. It is highly recommended to do that with mvoCI, so it cannot do any harm. The following example
.service file depicts a possible scenario (it's a modified file from the Gitea-project).
[Unit] Description=mvoCI After=syslog.target After=network.target #After=mysqld.service #After=postgresql.service [Service] # Modify these two values and uncomment them if you have # repos with lots of files and get an HTTP error 500 because # of that ### #LimitMEMLOCK=infinity #LimitNOFILE=65535 RestartSec=2s Type=simple User=mvoci Group=mvoci WorkingDirectory=/home/mvoci ExecStart=/home/mvoci/mvoci --web Restart=always Environment=USER=mvoci HOME=/home/mvoci # If you want to bind Gitea to a port below 1024 uncomment # the two values below ### #CapabilityBoundingSet=CAP_NET_BIND_SERVICE #AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target
Configuring the Webserver (Reverse Proxy)
In some scenarios it is needed to reverse proxy the traffic to / from mvoCI through a webserver, for example, when you want to have
ci.<yourdomainnamehere>.<st> as the CIs domain name. Also when requiring HTTPS it may be useful.
You may want to add the following to your virtual-servers configuration:
<VirtualHost *:80> ... <Proxy *> Order allow,deny Allow from all </Proxy> ProxyPass /mvoci http://localhost:4042 # Note: no trailing slash after either /mvoci or port ProxyPassReverse /mvoci http://localhost:4042 # Note: no trailing slash after either /mvoci or port </VirtualHost>
Then you can create a new virtual host and redirect to
<VirtualHost *:80> ServerName mvoci.example.org Redirect permanent / https://www.example.org/mvoci </VirtualHost>
Note, that unencrypted traffic from mvoCI needs to be prohibited to go outside. You can set the configuration variable
http_address to localhost.