I have build server inside our domain (and it needs to be because it also talks to other boxes in the domain), and a webserver that is in the DMZ.
我在我们的域中构建服务器(它需要是因为它还与域中的其他框进行通信),以及DMZ中的Web服务器。
As part of our build scripts, I would like to deploy websites to the webserver in the DMZ, using the Nant copy task. The problem is, that Nant is invoked from TeamCity which runs under the System account on the build server, and there is no way that I can find to give the build server system account access to the DMZ webserver directories. (It probably isn't a good idea anyway).
作为构建脚本的一部分,我想使用Nant复制任务将网站部署到DMZ中的Web服务器。问题是,Nant是从TeamCity调用的,它在构建服务器上的System帐户下运行,并且我无法找到给构建服务器系统帐户访问DMZ webserver目录的权限。 (无论如何,这可能不是一个好主意)。
Is there anyway to tell Nant to run a specific task under a different windows user, or is there another solution to my problem?
反正有没有告诉Nant在不同的Windows用户下运行特定任务,还是有另一种解决方案来解决我的问题?
Edit: One other restriction I am running under is that I can't create new domain accounts (well, at least not without going through an approval process). I can create local machine accounts, but in that case, it doesn't seem that runas will work across the DMZ.
编辑:我正在运行的另一个限制是我无法创建新的域帐户(好吧,至少在没有通过审批流程的情况下)。我可以创建本地计算机帐户,但在这种情况下,似乎runas不会在整个DMZ中运行。
2 个解决方案
#1
2
A couple options might be:
一些选项可能是:
- Use the Simple Command Runner to exec out to something like runas, specifying nant.exe running under a different user account.
- Change the account in which the TeamCity server runs as; like a limited privileged user that has access to DMZ.
- Attempt to use the
<scp> (secure copy) task provided by NAntContrib. - Use the nant
<exec> task to call an ftp program, that places the files up on the DMZ.
使用Simple Command Runner执行类似runas的操作,指定在不同用户帐户下运行的nant.exe。
更改TeamCity服务器运行的帐户;就像有权访问DMZ的特权用户一样。
尝试使用NAntContrib提供的
使用nant
Hopefully this provides a little help. Good luck!
希望这会提供一些帮助。祝好运!
#2
0
you could use powershell remoting to pull releases from the build server. The server would be less vulnerable than if you were to use a push release like a file copy.
您可以使用powershell远程处理从构建服务器中提取版本。与使用像文件副本一样的推送版本相比,服务器不易受到攻击。
I'm doing this with a custom app that logs into teamcity and downloads artifacts and then deploys using powershell locally.
我正在使用自定义应用程序执行此操作,该应用程序登录到teamcity并下载工件,然后在本地使用PowerShell进行部署。
#1
2
A couple options might be:
一些选项可能是:
- Use the Simple Command Runner to exec out to something like runas, specifying nant.exe running under a different user account.
- Change the account in which the TeamCity server runs as; like a limited privileged user that has access to DMZ.
- Attempt to use the
<scp> (secure copy) task provided by NAntContrib. - Use the nant
<exec> task to call an ftp program, that places the files up on the DMZ.
使用Simple Command Runner执行类似runas的操作,指定在不同用户帐户下运行的nant.exe。
更改TeamCity服务器运行的帐户;就像有权访问DMZ的特权用户一样。
尝试使用NAntContrib提供的
使用nant
Hopefully this provides a little help. Good luck!
希望这会提供一些帮助。祝好运!
#2
0
you could use powershell remoting to pull releases from the build server. The server would be less vulnerable than if you were to use a push release like a file copy.
您可以使用powershell远程处理从构建服务器中提取版本。与使用像文件副本一样的推送版本相比,服务器不易受到攻击。
I'm doing this with a custom app that logs into teamcity and downloads artifacts and then deploys using powershell locally.
我正在使用自定义应用程序执行此操作,该应用程序登录到teamcity并下载工件,然后在本地使用PowerShell进行部署。