Refer to this agent issue as a starting point. Users running SELinux have reported difficulties with the provided svc.sh script.If you run your agent as a service, you cannot run the agent service as root user.We encourage you to review, and if needed, update the script before running it. This script will be generated after you configure the agent. svc.sh script for you to run and manage your agent as a systemd service. If your agent is running on these operating systems you can run the agent as a systemd service: run.sh -onceĪgents in this mode will accept only one job and then spin down gracefully (useful for running in Docker on a service like Azure Container Instances). Run onceįor agents configured to run interactively, you can choose to have the agent accept only one job. If you didn't choose a different pool, your agent will be in the Default pool. To use your agent, run a job using the agent's pool. To restart the agent, press Ctrl+C and then run run.sh to restart it. If you have been running the agent as a service, uninstall the service. Run interactivelyįor guidance on whether to run the agent in interactive mode or as a service, see Agents: Interactive vs. Learn more at Communication with Azure Pipelines or TFS. When using PAT as the authentication method, the PAT token is used only for the initial configuration of the agent. The agent will not use this person'sĬredentials in everyday operation, but they're required to complete registration. Decide which user you'll useĪs a one-time step, you must register the agent. Administrators may need to investigate the file system to understand build failures or get log files to be able to report Azure DevOps failures. It makes sense to grant access to the agent folder only for DevOps administrators and the user identity running the agent process. Therefore, it is safer to carefully consider access granted to the agent machine itself, and the agent folders which contain sensitive files, such as logs and artifacts. The user generating the credentials (and other agent-related files) is different than the user that needs to read them. It is a best practice to have the identity running the agent be different from the identity with permissions to connect the agent to the pool. Therefore, it is important to consider the threat model surrounding each individual usage of Pipelines Agents to perform work, and decide what are the minimum permissions could be granted to the user running the agent, to the machine where the agent runs, to the users who have write access to the Pipeline definition, the git repos where the yaml is stored, or the group of users who control access to the pool for new pipelines. It inherently could be a target for Remote Code Execution (RCE) attacks. The Azure Pipelines agent is a software product designed to execute code it downloads from external sources. The folders controlled by the agent should be restricted to as few users as possible and they contain secrets that could be decrypted or exfiltrated. The user configuring the agent needs pool admin permissions, but the user running the agent does not. Prepare permissions Information security for self-hosted agents You should run agent setup manually the first time.Īfter you get a feel for how agents work, or if you want to automate setting up many agents, consider using unattended config. Please also make sure that all required repositories are connected to the relevant package manager used in installdependencies.sh (like apt or zypper).įor issues with dependencies installation (like 'dependency was not found in repository' or 'problem retrieving the repository index file') - you can reach out to distribution owner for further support. Review the installdependencies.sh script and ensure any referenced third party sites are accessible from your Linux machine before running the script. NET are fetched from third party sites, like. bin/installdependencies.sh in the agent directory.īe aware that some of these dependencies required by. You can install those dependencies on supported Linux platforms by running. The agent installer knows how to check for other dependencies.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |