trusted-sandbox 0.0.9.pre → 0.0.10.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: e96be24e19e847b10942e3e8c72493f8b5cb0ce9
4
- data.tar.gz: df3f3cccad8434b8752ee146db68fa33dd78882c
3
+ metadata.gz: 087e7a3db62be30fbceb951541f60d39185fd272
4
+ data.tar.gz: 470126d53f50f5f75a8a6210c6205169ad3102fa
5
5
  SHA512:
6
- metadata.gz: a5165ce3e2d8ad14bf2bdb8609cc2dd87c203d7d5231c6a09aa8811b8f41748b70c7378a5c88fd3cf52bbad2d8866ee0152d99c38bcd9bd14ded6e45d4cc523f
7
- data.tar.gz: e9f975e0d6c180566ccdf66596b593176980cdb34f5ad57457ba9c685e3c37d1070af0a659d8408be53a1b5918d75f55a4c84a1b1c55d6d83d0ee715350aa567
6
+ metadata.gz: 1acd7ef23ac33477479793c38ae674cd62284e8e60e1f186ed2cd375c5bcccd2482861ab3c948fbad9454f8905cb9b9c9fe4a18b27ec30ffca5f04194f4d3546
7
+ data.tar.gz: fac057c808f1bf3da35f30432b4125783099358bca06b196bcfbd88edd0f29b96fbb33f7d9552af3739b71551595ab6f24bbdc87c773b04ddccf888e59d15ac8
data/README.md CHANGED
@@ -54,17 +54,17 @@ $ gem install trusted-sandbox
54
54
  ```
55
55
 
56
56
  ### Step 2
57
- Install the latest version of Docker. **Do not** install from your distro pacakge management system, as the docker
58
- version is old and does not support what Trusted Sandbox needs. Refer to the Docker documentation to see how to install
59
- Docker on your environment.
57
+ Install Docker, Server version >= 1.2.0. Note that at the time of writing some distro package management systems have
58
+ an earlier version. Refer to the Docker documentation to see how to install the latest Docker on your environment.
60
59
 
61
- Note that on a Linux server the docker daemon runs as root and owns the socket used to connect to it.
62
- To give your app user access to that socket you will need to add the user to the docker group.
60
+ Note that on a Linux server the docker daemon runs as root, and the root user owns the socket used to connect to the
61
+ daemon. In order to avoid the need to run your application with sudo privileges, add the application user to the
62
+ `docker` group (keep `${USER}` for the connected user or change to suit your needs):
63
63
  ```
64
64
  $ sudo gpasswd -a ${USER} docker
65
65
  $ sudo service docker.io restart
66
66
  ```
67
- then reconnect to your shell session and try the following (without sudo command):
67
+ then reconnect to your shell session and try the following (without sudo):
68
68
  ```
69
69
  $ docker images
70
70
  ```
@@ -79,7 +79,8 @@ Run the following command which will copy the `trusted_sandbox.yml` file into yo
79
79
  $ trusted_sandbox install
80
80
  ```
81
81
 
82
- Then follow the configuration instructions below. Once you're done configuring, test your installation by running:
82
+ Then follow the configuration instructions in this guide. Once you're done configuring, test your installation by
83
+ running:
83
84
  ```
84
85
  $ trusted_sandbox test
85
86
  ```
@@ -92,8 +93,10 @@ $ docker run --rm vaharoni/trusted_sandbox:2.1.2.v1
92
93
  ```
93
94
  If you see the message "you must provide a uid", then you are set.
94
95
 
95
- If you receive an error that looks like this: `Error response from daemon: Cannot start container 9f3bd8d72f0704980cedacc068261c38e280e7314916245550a6d48431ea8f11: fork/exec /var/lib/docker/init/dockerinit-1.0.1: cannot allocate memory`
96
- consider restarting docker:
96
+ Consider restarting the docker service if you receive an error that looks like this:
97
+ `Error response from daemon: Cannot start container 9f3bd8d72f0704980cedacc068261c38e280e7314916245550a6d48431ea8f11:
98
+ fork/exec /var/lib/docker/init/dockerinit-1.0.1: cannot allocate memory`
99
+
97
100
  ```
98
101
  $ sudo service docker.io restart
99
102
  ```
@@ -107,6 +110,8 @@ Follow the instructions in the relevant sections of the configuration guide.
107
110
  ## Configuring Trusted Sandbox
108
111
 
109
112
  Let's go over the sections of the YAML configuration file you created in step 3 above.
113
+ The top key of the YAML file is an environment string that can be set by `TRUSTED_SANDBOX_ENV` or `RAILS_ENV`
114
+ environment variables.
110
115
 
111
116
  ### Docker connection
112
117
 
@@ -114,25 +119,24 @@ Trusted Sandbox uses the `docker-api` gem to communicate with docker. `docker-ap
114
119
  Linux host, and you should be good by omitting `docker_url` and `docker_cert_path` all together.
115
120
 
116
121
  ```ruby
117
- # If omitted ENV['DOCKER_HOST'] is used. If it is not set, docker-api defaults are used
118
- docker_url: https://192.168.59.103:2376
122
+ # If omitted ENV['DOCKER_HOST'] is used. If it is not set, docker-api defaults are used.
123
+ docker_url: https://192.168.59.103:2376
119
124
 
120
- # If omitted ENV['DOCKER_CERT_PATH'] is used. If it is not set, docker-api defaults are used
121
- docker_cert_path: ~/.boot2docker/certs/boot2docker-vm
125
+ # If omitted ENV['DOCKER_CERT_PATH'] is used. If it is not set, docker-api defaults are used.
126
+ docker_cert_path: ~/.boot2docker/certs/boot2docker-vm
122
127
  ```
123
128
  If you need finer control of `docker-api` configuration, you can add a `docker_options` hash entry to the
124
129
  YAML file which will override any configuration and passed through to `Docker.options`.
125
130
 
126
131
  In addition, these docker-related configuration parameters can be used:
127
132
  ```ruby
128
- docker_image_name: vaharoni/trusted_sandbox:2.1.2.v1
129
-
130
- # Optional authentication
131
- docker_login:
132
- user: my_user
133
- password: my_password
134
- email: email@email.com
133
+ docker_image_name: vaharoni/trusted_sandbox:2.1.2.v1
135
134
 
135
+ # Optional authentication
136
+ docker_login:
137
+ user: my_user
138
+ password: my_password
139
+ email: email@email.com
136
140
  ```
137
141
 
138
142
 
@@ -170,16 +174,16 @@ Note that controlling memory swap limits and user quotas requires additional ste
170
174
  ### Execution parameters
171
175
 
172
176
  ```ruby
173
- # A temporary folder under which sub folders are created and mounted to containers.
174
- # The code and args exchange between the host and containers is done via these sub folders.
175
- host_code_root_path: tmp/code_dirs
177
+ # A temporary folder under which sub folders are created and mounted to containers.
178
+ # The code and args exchange between the host and containers is done via these sub folders.
179
+ host_code_root_path: tmp/code_dirs
176
180
 
177
- # When set to true, the temporary sub folders will not be erased. This allows you to login
178
- # to the container to troubleshoot issues as explained in the "Troubleshooting" section.
179
- keep_code_folders: false
181
+ # When set to true, the temporary sub folders will not be erased. This allows you to login
182
+ # to the container to troubleshoot issues as explained in the "Troubleshooting" section.
183
+ keep_code_folders: false
180
184
 
181
- # A folder used by the UID-pool to handle locks.
182
- host_uid_pool_lock_path: tmp/uid_pool_lock
185
+ # A folder used by the UID-pool to handle locks.
186
+ host_uid_pool_lock_path: tmp/uid_pool_lock
183
187
  ```
184
188
 
185
189
  ### Limiting swap memory
@@ -228,7 +232,7 @@ $ mount -o remount
228
232
  ```
229
233
  and reboot the server. Finally, run the following (quota is in KB):
230
234
  ```
231
- $ trusted_sandbox set_quotas 10000
235
+ $ sudo trusted_sandbox set_quotas 10000
232
236
  ```
233
237
  This sets ~10MB quota on all UIDs that are in the range defined by `pool_size` and `pool_min_uid` parameters. If you
234
238
  change these configuration parameters you must rerun the `set_quotas` command.
@@ -405,6 +409,27 @@ following from your command line (adjust to your environment):
405
409
  ```
406
410
  $ docker run -it -v /home/MyUser/my_app/tmp/code_dirs/20000:/home/sandbox/src --entrypoint="/bin/bash" my_user/my_image:my_tag -s
407
411
  ```
412
+ Note that this will also take out that specific UID from the UID-pool so that future runs don't remount the same folder.
413
+ To release that UID back to the pool, either reset that specific UID:
414
+ ```
415
+ $ trusted_sandbox reset_uid_pool 20000
416
+ ```
417
+ or reset all UIDs (make sure no other containers are running):
418
+ ```
419
+ $ trusted_sandbox reset_uid_pool
420
+ ```
421
+
422
+ To avoid containers from being deleted after they finish running, set:
423
+ ```ruby
424
+ keep_container: true
425
+ ```
426
+ This will allow you to view containers by running `docker ps -a` and then check out container logs
427
+ `docker logs CONTAINER_ID` or container parameters `docker inspect CONTAINER_ID`.
428
+
429
+ You will need to delete containers yourself by running `docker rm CONTAINER_ID`. To delete all of your containers do:
430
+ ```
431
+ $ docker ps -aq | xargs docker rm
432
+ ```
408
433
 
409
434
  ## Contributing
410
435
 
@@ -53,5 +53,14 @@ module TrustedSandbox
53
53
  `setquota -u #{uid} 0 #{quota_kb} 0 0 /`
54
54
  end
55
55
  end
56
+
57
+ desc 'reset_uid_pool UID', 'Release the provided UID from the UID-pool. If the UID is omitted, all UIDs that were reserved will be released, effectively resetting the pool'
58
+ def reset_uid_pool(uid = nil)
59
+ if uid
60
+ TrustedSandbox.uid_pool.release uid
61
+ else
62
+ TrustedSandbox.uid_pool.release_all
63
+ end
64
+ end
56
65
  end
57
66
  end
@@ -1,11 +1,11 @@
1
1
  development:
2
- # # Optional login information
2
+ # # Optional login information for Docker Hub
3
3
  # docker_login:
4
4
  # user: my_user
5
5
  # password: my_password
6
6
  # email: email@email.com
7
7
 
8
- # # For a linux host these can remain empty
8
+ # # For a linux host these can typically remain commented
9
9
  # docker_url: https://192.168.59.103:2376
10
10
  # docker_cert_path: ~/.boot2docker/certs/boot2docker-vm
11
11
 
@@ -24,10 +24,13 @@ development:
24
24
 
25
25
  host_code_root_path: tmp/code_dirs
26
26
  host_uid_pool_lock_path: tmp/uid_pool_lock
27
- keep_code_folders: false
28
27
 
29
- pool_size: 5000
30
- pool_min_uid: 20000
31
- pool_timeout: 3
32
- pool_retries: 5
33
- pool_delay: 0.5
28
+ keep_code_folders: false
29
+ keep_containers: false
30
+
31
+ # # It's very unlikely you'll need to change these
32
+ # pool_size: 5000
33
+ # pool_min_uid: 20000
34
+ # pool_timeout: 3
35
+ # pool_retries: 5
36
+ # pool_delay: 0.5
@@ -30,7 +30,7 @@ module TrustedSandbox
30
30
  :memory_limit, :memory_swap_limit, :cpu_shares, :docker_image_name,
31
31
  :execution_timeout, :network_access, :enable_swap_limit, :enable_quotas,
32
32
  :container_code_path, :container_input_filename, :container_output_filename,
33
- :keep_code_folders
33
+ :keep_code_folders, :keep_containers
34
34
 
35
35
  attr_reader_with_fallback :host_code_root_path, :host_uid_pool_lock_path
36
36
 
@@ -40,7 +40,7 @@ module TrustedSandbox
40
40
  end
41
41
 
42
42
  def release_uid
43
- uid_pool.release(@uid) if @uid
43
+ uid_pool.release(@uid) if @uid and !config.keep_code_folders
44
44
  end
45
45
 
46
46
  def code_dir_path
@@ -86,7 +86,7 @@ module TrustedSandbox
86
86
  end
87
87
 
88
88
  def remove_container
89
- return unless @container
89
+ return unless @container and !config.keep_containers
90
90
  @container.delete force: true
91
91
  end
92
92
 
@@ -1,3 +1,3 @@
1
1
  module TrustedSandbox
2
- VERSION = '0.0.9.pre'
2
+ VERSION = '0.0.10.pre'
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: trusted-sandbox
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.9.pre
4
+ version: 0.0.10.pre
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amit Aharoni