1 Deployment
Stefan Naumann edited this page 1 year ago

Running the application safely

mvoCI is a continuous-integration server and therefore does not limit what is executed. Running the application with the wrong privileges may result in compromised machines, loss of data or maybe even broken hardware.

This wiki article seeks to identify possible loopholes to be aware of, when running mvoCI on your own hardware.

Starting mvoCI

systemd

SystemD allows for chrooting an application and running it with its own user. It is highly recommended to do that with mvoCI, so it cannot do any harm. The following example .service file depicts a possible scenario (it's a modified file from the Gitea-project).

[Unit]
Description=mvoCI
After=syslog.target
After=network.target
#After=mysqld.service
#After=postgresql.service

[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=mvoci
Group=mvoci
WorkingDirectory=/home/mvoci
ExecStart=/home/mvoci/mvoci --web
Restart=always
Environment=USER=mvoci HOME=/home/mvoci
# If you want to bind Gitea to a port below 1024 uncomment
# the two values below
###
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Configuring the Webserver (Reverse Proxy)

In some scenarios it is needed to reverse proxy the traffic to / from mvoCI through a webserver, for example, when you want to have ci.<yourdomainnamehere>.<st> as the CIs domain name. Also when requiring HTTPS it may be useful.

You may want to add the following to your virtual-servers configuration:

<VirtualHost *:80>
    ...
    <Proxy *>
         Order allow,deny
         Allow from all
    </Proxy>

    ProxyPass /mvoci http://localhost:4042        # Note: no trailing slash after either /mvoci or port
    ProxyPassReverse /mvoci http://localhost:4042 # Note: no trailing slash after either /mvoci or port
</VirtualHost>

Then you can create a new virtual host and redirect to /mvoci

<VirtualHost *:80>
	ServerName mvoci.example.org
	Redirect permanent / https://www.example.org/mvoci
</VirtualHost>

Note, that unencrypted traffic from mvoCI needs to be prohibited to go outside. You can set the configuration variable http_address to localhost.