trusted-sandbox 0.0.9.pre → 0.0.10.pre
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +54 -29
- data/lib/trusted_sandbox/cli.rb +9 -0
- data/lib/trusted_sandbox/config/trusted_sandbox.yml +11 -8
- data/lib/trusted_sandbox/config.rb +1 -1
- data/lib/trusted_sandbox/runner.rb +2 -2
- data/lib/trusted_sandbox/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 087e7a3db62be30fbceb951541f60d39185fd272
|
4
|
+
data.tar.gz: 470126d53f50f5f75a8a6210c6205169ad3102fa
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1acd7ef23ac33477479793c38ae674cd62284e8e60e1f186ed2cd375c5bcccd2482861ab3c948fbad9454f8905cb9b9c9fe4a18b27ec30ffca5f04194f4d3546
|
7
|
+
data.tar.gz: fac057c808f1bf3da35f30432b4125783099358bca06b196bcfbd88edd0f29b96fbb33f7d9552af3739b71551595ab6f24bbdc87c773b04ddccf888e59d15ac8
|
data/README.md
CHANGED
@@ -54,17 +54,17 @@ $ gem install trusted-sandbox
|
|
54
54
|
```
|
55
55
|
|
56
56
|
### Step 2
|
57
|
-
Install
|
58
|
-
|
59
|
-
Docker on your environment.
|
57
|
+
Install Docker, Server version >= 1.2.0. Note that at the time of writing some distro package management systems have
|
58
|
+
an earlier version. Refer to the Docker documentation to see how to install the latest Docker on your environment.
|
60
59
|
|
61
|
-
Note that on a Linux server the docker daemon runs as root and owns the socket used to connect to
|
62
|
-
|
60
|
+
Note that on a Linux server the docker daemon runs as root, and the root user owns the socket used to connect to the
|
61
|
+
daemon. In order to avoid the need to run your application with sudo privileges, add the application user to the
|
62
|
+
`docker` group (keep `${USER}` for the connected user or change to suit your needs):
|
63
63
|
```
|
64
64
|
$ sudo gpasswd -a ${USER} docker
|
65
65
|
$ sudo service docker.io restart
|
66
66
|
```
|
67
|
-
then reconnect to your shell session and try the following (without sudo
|
67
|
+
then reconnect to your shell session and try the following (without sudo):
|
68
68
|
```
|
69
69
|
$ docker images
|
70
70
|
```
|
@@ -79,7 +79,8 @@ Run the following command which will copy the `trusted_sandbox.yml` file into yo
|
|
79
79
|
$ trusted_sandbox install
|
80
80
|
```
|
81
81
|
|
82
|
-
Then follow the configuration instructions
|
82
|
+
Then follow the configuration instructions in this guide. Once you're done configuring, test your installation by
|
83
|
+
running:
|
83
84
|
```
|
84
85
|
$ trusted_sandbox test
|
85
86
|
```
|
@@ -92,8 +93,10 @@ $ docker run --rm vaharoni/trusted_sandbox:2.1.2.v1
|
|
92
93
|
```
|
93
94
|
If you see the message "you must provide a uid", then you are set.
|
94
95
|
|
95
|
-
|
96
|
-
|
96
|
+
Consider restarting the docker service if you receive an error that looks like this:
|
97
|
+
`Error response from daemon: Cannot start container 9f3bd8d72f0704980cedacc068261c38e280e7314916245550a6d48431ea8f11:
|
98
|
+
fork/exec /var/lib/docker/init/dockerinit-1.0.1: cannot allocate memory`
|
99
|
+
|
97
100
|
```
|
98
101
|
$ sudo service docker.io restart
|
99
102
|
```
|
@@ -107,6 +110,8 @@ Follow the instructions in the relevant sections of the configuration guide.
|
|
107
110
|
## Configuring Trusted Sandbox
|
108
111
|
|
109
112
|
Let's go over the sections of the YAML configuration file you created in step 3 above.
|
113
|
+
The top key of the YAML file is an environment string that can be set by `TRUSTED_SANDBOX_ENV` or `RAILS_ENV`
|
114
|
+
environment variables.
|
110
115
|
|
111
116
|
### Docker connection
|
112
117
|
|
@@ -114,25 +119,24 @@ Trusted Sandbox uses the `docker-api` gem to communicate with docker. `docker-ap
|
|
114
119
|
Linux host, and you should be good by omitting `docker_url` and `docker_cert_path` all together.
|
115
120
|
|
116
121
|
```ruby
|
117
|
-
|
118
|
-
|
122
|
+
# If omitted ENV['DOCKER_HOST'] is used. If it is not set, docker-api defaults are used.
|
123
|
+
docker_url: https://192.168.59.103:2376
|
119
124
|
|
120
|
-
|
121
|
-
|
125
|
+
# If omitted ENV['DOCKER_CERT_PATH'] is used. If it is not set, docker-api defaults are used.
|
126
|
+
docker_cert_path: ~/.boot2docker/certs/boot2docker-vm
|
122
127
|
```
|
123
128
|
If you need finer control of `docker-api` configuration, you can add a `docker_options` hash entry to the
|
124
129
|
YAML file which will override any configuration and passed through to `Docker.options`.
|
125
130
|
|
126
131
|
In addition, these docker-related configuration parameters can be used:
|
127
132
|
```ruby
|
128
|
-
|
129
|
-
|
130
|
-
# Optional authentication
|
131
|
-
docker_login:
|
132
|
-
user: my_user
|
133
|
-
password: my_password
|
134
|
-
email: email@email.com
|
133
|
+
docker_image_name: vaharoni/trusted_sandbox:2.1.2.v1
|
135
134
|
|
135
|
+
# Optional authentication
|
136
|
+
docker_login:
|
137
|
+
user: my_user
|
138
|
+
password: my_password
|
139
|
+
email: email@email.com
|
136
140
|
```
|
137
141
|
|
138
142
|
|
@@ -170,16 +174,16 @@ Note that controlling memory swap limits and user quotas requires additional ste
|
|
170
174
|
### Execution parameters
|
171
175
|
|
172
176
|
```ruby
|
173
|
-
|
174
|
-
|
175
|
-
|
177
|
+
# A temporary folder under which sub folders are created and mounted to containers.
|
178
|
+
# The code and args exchange between the host and containers is done via these sub folders.
|
179
|
+
host_code_root_path: tmp/code_dirs
|
176
180
|
|
177
|
-
|
178
|
-
|
179
|
-
|
181
|
+
# When set to true, the temporary sub folders will not be erased. This allows you to login
|
182
|
+
# to the container to troubleshoot issues as explained in the "Troubleshooting" section.
|
183
|
+
keep_code_folders: false
|
180
184
|
|
181
|
-
|
182
|
-
|
185
|
+
# A folder used by the UID-pool to handle locks.
|
186
|
+
host_uid_pool_lock_path: tmp/uid_pool_lock
|
183
187
|
```
|
184
188
|
|
185
189
|
### Limiting swap memory
|
@@ -228,7 +232,7 @@ $ mount -o remount
|
|
228
232
|
```
|
229
233
|
and reboot the server. Finally, run the following (quota is in KB):
|
230
234
|
```
|
231
|
-
$ trusted_sandbox set_quotas 10000
|
235
|
+
$ sudo trusted_sandbox set_quotas 10000
|
232
236
|
```
|
233
237
|
This sets ~10MB quota on all UIDs that are in the range defined by `pool_size` and `pool_min_uid` parameters. If you
|
234
238
|
change these configuration parameters you must rerun the `set_quotas` command.
|
@@ -405,6 +409,27 @@ following from your command line (adjust to your environment):
|
|
405
409
|
```
|
406
410
|
$ docker run -it -v /home/MyUser/my_app/tmp/code_dirs/20000:/home/sandbox/src --entrypoint="/bin/bash" my_user/my_image:my_tag -s
|
407
411
|
```
|
412
|
+
Note that this will also take out that specific UID from the UID-pool so that future runs don't remount the same folder.
|
413
|
+
To release that UID back to the pool, either reset that specific UID:
|
414
|
+
```
|
415
|
+
$ trusted_sandbox reset_uid_pool 20000
|
416
|
+
```
|
417
|
+
or reset all UIDs (make sure no other containers are running):
|
418
|
+
```
|
419
|
+
$ trusted_sandbox reset_uid_pool
|
420
|
+
```
|
421
|
+
|
422
|
+
To avoid containers from being deleted after they finish running, set:
|
423
|
+
```ruby
|
424
|
+
keep_container: true
|
425
|
+
```
|
426
|
+
This will allow you to view containers by running `docker ps -a` and then check out container logs
|
427
|
+
`docker logs CONTAINER_ID` or container parameters `docker inspect CONTAINER_ID`.
|
428
|
+
|
429
|
+
You will need to delete containers yourself by running `docker rm CONTAINER_ID`. To delete all of your containers do:
|
430
|
+
```
|
431
|
+
$ docker ps -aq | xargs docker rm
|
432
|
+
```
|
408
433
|
|
409
434
|
## Contributing
|
410
435
|
|
data/lib/trusted_sandbox/cli.rb
CHANGED
@@ -53,5 +53,14 @@ module TrustedSandbox
|
|
53
53
|
`setquota -u #{uid} 0 #{quota_kb} 0 0 /`
|
54
54
|
end
|
55
55
|
end
|
56
|
+
|
57
|
+
desc 'reset_uid_pool UID', 'Release the provided UID from the UID-pool. If the UID is omitted, all UIDs that were reserved will be released, effectively resetting the pool'
|
58
|
+
def reset_uid_pool(uid = nil)
|
59
|
+
if uid
|
60
|
+
TrustedSandbox.uid_pool.release uid
|
61
|
+
else
|
62
|
+
TrustedSandbox.uid_pool.release_all
|
63
|
+
end
|
64
|
+
end
|
56
65
|
end
|
57
66
|
end
|
@@ -1,11 +1,11 @@
|
|
1
1
|
development:
|
2
|
-
# # Optional login information
|
2
|
+
# # Optional login information for Docker Hub
|
3
3
|
# docker_login:
|
4
4
|
# user: my_user
|
5
5
|
# password: my_password
|
6
6
|
# email: email@email.com
|
7
7
|
|
8
|
-
# # For a linux host these can remain
|
8
|
+
# # For a linux host these can typically remain commented
|
9
9
|
# docker_url: https://192.168.59.103:2376
|
10
10
|
# docker_cert_path: ~/.boot2docker/certs/boot2docker-vm
|
11
11
|
|
@@ -24,10 +24,13 @@ development:
|
|
24
24
|
|
25
25
|
host_code_root_path: tmp/code_dirs
|
26
26
|
host_uid_pool_lock_path: tmp/uid_pool_lock
|
27
|
-
keep_code_folders: false
|
28
27
|
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
28
|
+
keep_code_folders: false
|
29
|
+
keep_containers: false
|
30
|
+
|
31
|
+
# # It's very unlikely you'll need to change these
|
32
|
+
# pool_size: 5000
|
33
|
+
# pool_min_uid: 20000
|
34
|
+
# pool_timeout: 3
|
35
|
+
# pool_retries: 5
|
36
|
+
# pool_delay: 0.5
|
@@ -30,7 +30,7 @@ module TrustedSandbox
|
|
30
30
|
:memory_limit, :memory_swap_limit, :cpu_shares, :docker_image_name,
|
31
31
|
:execution_timeout, :network_access, :enable_swap_limit, :enable_quotas,
|
32
32
|
:container_code_path, :container_input_filename, :container_output_filename,
|
33
|
-
:keep_code_folders
|
33
|
+
:keep_code_folders, :keep_containers
|
34
34
|
|
35
35
|
attr_reader_with_fallback :host_code_root_path, :host_uid_pool_lock_path
|
36
36
|
|
@@ -40,7 +40,7 @@ module TrustedSandbox
|
|
40
40
|
end
|
41
41
|
|
42
42
|
def release_uid
|
43
|
-
uid_pool.release(@uid) if @uid
|
43
|
+
uid_pool.release(@uid) if @uid and !config.keep_code_folders
|
44
44
|
end
|
45
45
|
|
46
46
|
def code_dir_path
|
@@ -86,7 +86,7 @@ module TrustedSandbox
|
|
86
86
|
end
|
87
87
|
|
88
88
|
def remove_container
|
89
|
-
return unless @container
|
89
|
+
return unless @container and !config.keep_containers
|
90
90
|
@container.delete force: true
|
91
91
|
end
|
92
92
|
|