Should I Create A Second Agent For More Sensitive Jobs

Hi again!

I’m able to build, test and run my dockerized app through a single buildkite agent. Right now, I’m working on setting up an app server (including installing ssl and nginx conf) which requires root (or sudo) level permissions. If I’m going to do it over buildkite, I maybe should create a second agent, authorize it with sudo and create another pipeline targeting this agent. Because I don’t want to increase the permissions of the existing agent, it’s doing its job well. Maybe I’m thinking against buildkite pipelining concepts? Would like to hear if there is a recommended approach for this kind of jobs that require higher auth.

Hey @muratgozel

Thanks for reaching out!

First i need to understand your environment. What Agent installation did you use? Are you using the docker plugins, also are you running this on the Elastic stack.

Cheers!

Sorry for the lack of details, basically I have this setup:

I don’t use buildkite docker plugins and the agent builds and pushes the container to ghcr.io. My agent is running on Ubuntu 20 and installed it by following the instructions here:
Installing Buildkite Agent on Ubuntu v3 | Buildkite Documentation

And I’m happy the way my agent works. Just thinking how should I sort out setting up app servers because it requires root permissions.

Hey @muratgozel

Thanks for the follow up.

Your reasoning is correct, to have another agent that has the sudo level permissions. You should be able to run sudo but the only drawback with the permissions the agent will be able to do anything all the time which is not good.

Cheers!