Open Tom-Willemsen opened 6 years ago
Talk to @FreddieAkeroyd about how sphinx is set up for genie_python. I believe it runs on the linux build server but the password for it doesn't seem to be on the passwords page.
Moving back into ready because I may not get time to look at this for a few days
I've created the necessary scripting to provide this functionality. However, owing to the way Sphinx works, implementing it would allow users to run arbitrary Python on the build server. This has potential to corrupt the file system or deny service on the server. Even ignoring the potential for a malicious attack, the probability is moderate given the coding skills of the contributors.
Having discussed with @FreddieAkeroyd, we are going to run the build script with a modified root to prevent access to restricted areas of the file system. The build command will be run with a command to limit the system resources it can use. The build script itself will need moving to a private repo to avoid any unverified modifications.
I have disabled the build on Jenkins for now.
Setting to impeded whilst the necessary infrastructure is set up on the server.
The PR is here:
https://github.com/ISISNeutronMuon/InstrumentScripts/pull/3
Here are a few notes since I probably won't be around when this is next worked on.
generate_template_rst.py
runs to create an RST file telling Sphinx what to build. I couldn't find a way to just run across all modules in a directory.genie_python
Jenkinsfile
currently points at the ticket branch, rather than master. So does the build configuration on Jenkins. This allows testing of the PR with the buildtest.py
file can be removed from the PR once the issue with arbitrary code execution has been fixed. As it stands, if you run the build (currently disabled) then you'll see from the build logs that the print statement at the top of the file is executed.This needs work on setting up a suitably secured Linux environment
As a user of the shared python area, I would like a set of webpages containing the documentation from my code.
We currently do this for genie_python using Sphinx - something similar should work here.