docker-jail 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 634e9904e8cd35a2029b477d5b8976c79619e638
+  data.tar.gz: 570a3a47d63e78bdd94f8628caa13a2d9c60a4d6
+SHA512:
+  metadata.gz: c44fcdae3de30fee6c93b9036ce8e6d125c201e6b1154ec0c4ce89cfb056ce6327a72c3268e817612f15a4990126b71a3dfae4cc7d2bf39391650b3f8e996462
+  data.tar.gz: b27a8bb30d69a11e4839603ef1e1960cb3071b885f179d75b249be8c19e4e156d797fc48d4d6a49fccb7d60ae688aee5725b5b525eba4eace2f1b9072e86d095

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in docker-jail.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 u10e10
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,109 @@
+# DockerJail
+
+It's easy to make a jail with Docker.  
+
+## Installation
+
+```bash
+gem install docker-jail
+```
+
+## Documents
+
+This gem is documented by YARD.  
+
+```bash
+yard server --gems
+```
+
+### See
+[Docker Engine API](https://docs.docker.com/engine/api/v1.26/)  
+[docker-api for ruby](https://github.com/swipely/docker-api)  
+
+
+## Usage
+
+```ruby
+require 'docker-jail'
+rsecoundequire 'pp'
+
+image      = 'ruby:alpine'
+user       = 'nobody:nobody'
+pids_limit = 10
+cpus       = '0' # string
+memory_mb  = 100 # 100MB
+timeout    = 10  # 10 seconds
+input      = StringIO.new('10')
+tmpfs      = {'/tmp/a': 'rw,size=65536k'}
+
+cmd_list = ['ruby', '-e', 'puts(gets().to_i*2)']
+# cmd_list = ['bash', '-c', 'time df']
+cmd_list = ['sh', '-c', 'time timeout -s SIGKILL -t 2 ruby -e "puts(\"output\");exit(22)"']
+
+opts = {cmd_list: cmd_list, image: image, user: user, workdir: '/tmp',
+        cpus: cpus, memory_mb: memory_mb, pids_limit: pids_limit, tmpfs: tmpfs}
+
+puts 'Create a container'
+jail = DockerJail::Simple.new(opts)
+
+puts 'Run with a time limit'
+jail.run_timeout(timeout, input) # {|s,c| puts "#{s}: #{c}"}
+
+puts "-------------------------"
+puts "Exit: #{jail.exit_code}"
+puts "Time over: #{jail.timeout?}"
+puts "Memory over: #{jail.oom_killed?}"
+
+print 'Stdout: '
+p jail.out
+print 'Stderr: '
+p jail.err
+print 'State: '
+pp jail.state
+
+# require 'pry'
+# binding.pry
+
+puts 'Delete force'
+jail.delete
+```
+
+
+## KnowHow
+
+
+### Share cpu resources equally 
+Use `cpus` options.  
+If your machine has Intel Hyper-Threading Technology,
+You can share equally by setting two core id to `cpus`.  
+e.g. `'0,1' `  
+
+##### Check core id.  
+
+```bash 
+cat /proc/cpuinfo | egrep 'process|core id' 
+```
+
+
+### Limit the time
+
+The docker-jail has two ways.  
+
+* First way: use `DockerJail::Base#run_timeout` method.  
+  This method can limit container execution time.  
+  But container execution time contains container up/down time.  
+
+* Second way: use `timeout` command in the container.  
+    But there may be cases where the container don't have the `timeout` command.  
+
+
+
+### Measure the time 
+
+Use `time` command in the container.  
+You can get result of the `time` command from stderr.  
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+task :default => :spec
+
+require 'yard'
+YARD::Rake::YardocTask.new do |t|
+  t.files   = ['lib/**/*.rb']
+  t.stats_options = ['--list-undoc']
+end

data/docker-jail.gemspec

@@ -0,0 +1,30 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'docker-jail/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "docker-jail"
+  spec.version       = DockerJail::VERSION
+  spec.authors       = ['u+']
+  spec.email         = ['uplus.e10@gmail.com']
+
+  spec.summary       = %q{Easy run commands in docker jail}
+  spec.description   = spec.summary
+  spec.homepage      = 'https://github.com/u10e10/docker-jail'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = '>= 2.3.0'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'docker-api', '~> 10.0'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'yard'
+end

data/lib/docker-jail.rb

@@ -0,0 +1,8 @@
+require 'docker-jail/helper'
+require 'docker-jail/version'
+
+module DockerJail
+end
+
+require 'docker-jail/base'
+require 'docker-jail/simple'

data/lib/docker-jail/base.rb

@@ -0,0 +1,139 @@
+require 'docker'
+require 'timeout'
+
+module DockerJail
+  # Execute command in jail.
+  class Base
+    @@base_opts = {
+        # Image:  'centos',
+        # Cmd:    ['ls', '-a'],
+        # User:   'user:group',  # (defaults: root:root)
+        OpenStdin:       true,
+        StdinOnce:       true,
+        Tty:             false,
+        AttachStdin:     true,
+        AttachStderr:    true,
+        NetworkDisabled: true,
+        # WorkingDir: '/',
+        HostConfig: {
+          # CpusetCpus:     '0'  # (String) e.g. '0', '0,2', '0-3',
+          # Memory:          0,  # Memory byte size. 0 is unlimited
+          PidsLimit:        15,
+          NetworkMode:      'none',
+          CapDrop:          'all',
+          ReadonlyRootfs:   true,
+          OomKillDisable:   false,
+          AutoRemove:       false,
+          # LogConfig: {Type: 'none'}
+          # Binds: [],
+          # Tmpfs: {},
+        }
+    }.freeze
+
+    # @attr_reader [Docker::Container] container docker-api's raw container
+    # @attr_reader [Array<String>] out stdout outputs
+    # @attr_reader [Array<String>] err stderr outputs
+    attr_reader :container, :out, :err
+
+
+    def self.get_all()
+      Docker::Container.all(all:true)
+    end
+
+    def self.delete_all()
+      Docker::Container.all(all:true).each{|c| c.delete(force:true)}
+    end
+
+    def self.build_option(**opts)
+      @@base_opts.merge(opts)
+    end
+
+    def self.build_container(**opts)
+      Docker::Container.create(build_option(opts))
+    end
+
+    # @option opts [Hash] opts options to create Docker container
+    # @see https://docs.docker.com/engine/api/v1.26/ Docker API Reference
+    # @example
+    #   DockerJail::Base.new(Image: 'centos', Cmd: ['ls', '-a'], HostConfig: {Memory: 10*1024})
+    def initialize(**opts)
+      @container = self.class.build_container(opts)
+    end
+
+    # Run container
+    # @param [StringIO] input Give input stream to stdin
+    # @yield deprecated. Because docker-api's block behavior is unstable
+    # @yieldparam [String] stream_name
+    # @yieldparam [String] chunk  stdout or stderr partial string
+    # @return [Array<String>, Array<String>] stdout and stderr
+    def run(input=nil, &block)
+      @out, @err = @container.tap(&:start).attach(logs: true, tty: false, stdin: input, &block)
+    end
+
+    # Run container with a time limit.
+    #   Container run in the sub thread.
+    #   the timeout value contain the container up time.
+    #   When container run timeout, value of #out and #err is undefined
+    # @param (see #run)
+    # @param [Numeric] timeout
+    #   execution time limit(seconds).
+    #   It's different from StopTimeout of Docker
+    # @yield (see #run)
+    # @yieldparam (see #run)
+    # @return (see #run)
+    # @raise [Timeout::Error] When container run timeout, raise Timeout::Error
+    def run_timeout(timeout, input=nil, &block)
+      @timeout = false
+      # Main thread
+      Timeout.timeout(timeout) do
+        # Sub thread
+        return run(input, &block)
+      end
+    rescue Timeout::Error
+      @timeout = true
+    end
+
+    # Force delete container
+    def delete
+      @container.delete(force: true)
+    end
+
+    # @return [nil] Time unlimited
+    # @return [true] Time limit exceeded
+    # @return [false] Finished within time limit
+    def timeout?
+      @timeout
+    end
+
+    # @return [Hash] The container's all state and options
+    def json
+      container.json
+    end
+
+    # @return [Hash]
+    def state
+      json['State']
+    end
+
+    # Memory limit exceeded
+    # @return [Bool]
+    def oom_killed?
+      state['OOMKilled']
+    end
+
+    # @return [Integer]
+    def exit_code
+      state['ExitCode']
+    end
+
+    # @return [Time]
+    def started_at
+      Time.parse(state['StartedAt'])
+    end
+
+    # @return [Time]
+    def finished_at
+      Time.parse(state['FinishedAt'])
+    end
+  end
+end

data/lib/docker-jail/helper.rb

@@ -0,0 +1,16 @@
+module DockerJail
+  module ClassExtensions
+    refine Hash do
+
+      break if 2.4 <= RUBY_VERSION.to_f
+
+      def compact
+        reject{|k, v| v.nil? }
+      end
+
+      def compact!
+        delete_if{|k, v| v.nil? }
+      end
+    end
+  end
+end

data/lib/docker-jail/simple.rb

@@ -0,0 +1,40 @@
+module DockerJail
+  class Simple < Base
+    using DockerJail::ClassExtensions
+
+    # @param [String] image Container base image
+    # @param [Array<String>] cmd_list Execute command and parameters
+    # @param [String] user (nil) Docker container's default user is 'root:root'.
+    # @param [String] cpus (nil)
+    # @param [Integer] memory_mb (nil)  Memory limit in MB. 0 is unlimited
+    # @param [Integer] pids_limit (nil)
+    # @param [Array<String>] binds (nil) Bind mount directories
+    # @param [String] workdir (nil) The working directory.
+    # @param [Hash] tmpfs (nil) Mount empty tmpfs
+    # @option opts [Hash] opts Other options to create Docker container
+    def initialize(image:, cmd_list:, user: nil, workdir: nil, cpus: nil, memory_mb: nil,
+                   pids_limit: nil, binds: nil, tmpfs: nil, **other_opts)
+      mem_size = memory_mb&.*(1024**2)
+      other_host_opts = other_opts.delete(:HostConfig)
+
+      host_opts = {
+        CpusetCpus: cpus,
+        Memory: mem_size,
+        MemorySwap: mem_size,
+        PidsLimit: pids_limit,
+        Binds: binds,
+        Tmpfs: tmpfs,
+      }.compact.merge(other_host_opts || {})
+
+      opts = {
+        Image: image,
+        Cmd: cmd_list,
+        User: user,
+        WorkingDir: workdir,
+        HostConfig: host_opts,
+      }.compact.merge(other_opts)
+
+      super(opts.merge(other_opts || {}))
+    end
+  end
+end

data/lib/docker-jail/version.rb

@@ -0,0 +1,3 @@
+module DockerJail
+  VERSION = "0.1.0"
+end

metadata

@@ -0,0 +1,125 @@
+--- !ruby/object:Gem::Specification
+name: docker-jail
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- u+
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-02-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: docker-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Easy run commands in docker jail
+email:
+- uplus.e10@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- docker-jail.gemspec
+- lib/docker-jail.rb
+- lib/docker-jail/base.rb
+- lib/docker-jail/helper.rb
+- lib/docker-jail/simple.rb
+- lib/docker-jail/version.rb
+homepage: https://github.com/u10e10/docker-jail
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.8
+signing_key: 
+specification_version: 4
+summary: Easy run commands in docker jail
+test_files: []