trusted-sandbox 0.0.9.pre → 0.0.10.pre
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +54 -29
- data/lib/trusted_sandbox/cli.rb +9 -0
- data/lib/trusted_sandbox/config/trusted_sandbox.yml +11 -8
- data/lib/trusted_sandbox/config.rb +1 -1
- data/lib/trusted_sandbox/runner.rb +2 -2
- data/lib/trusted_sandbox/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 087e7a3db62be30fbceb951541f60d39185fd272
|
4
|
+
data.tar.gz: 470126d53f50f5f75a8a6210c6205169ad3102fa
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1acd7ef23ac33477479793c38ae674cd62284e8e60e1f186ed2cd375c5bcccd2482861ab3c948fbad9454f8905cb9b9c9fe4a18b27ec30ffca5f04194f4d3546
|
7
|
+
data.tar.gz: fac057c808f1bf3da35f30432b4125783099358bca06b196bcfbd88edd0f29b96fbb33f7d9552af3739b71551595ab6f24bbdc87c773b04ddccf888e59d15ac8
|
data/README.md
CHANGED
@@ -54,17 +54,17 @@ $ gem install trusted-sandbox
|
|
54
54
|
```
|
55
55
|
|
56
56
|
### Step 2
|
57
|
-
Install
|
58
|
-
|
59
|
-
Docker on your environment.
|
57
|
+
Install Docker, Server version >= 1.2.0. Note that at the time of writing some distro package management systems have
|
58
|
+
an earlier version. Refer to the Docker documentation to see how to install the latest Docker on your environment.
|
60
59
|
|
61
|
-
Note that on a Linux server the docker daemon runs as root and owns the socket used to connect to
|
62
|
-
|
60
|
+
Note that on a Linux server the docker daemon runs as root, and the root user owns the socket used to connect to the
|
61
|
+
daemon. In order to avoid the need to run your application with sudo privileges, add the application user to the
|
62
|
+
`docker` group (keep `${USER}` for the connected user or change to suit your needs):
|
63
63
|
```
|
64
64
|
$ sudo gpasswd -a ${USER} docker
|
65
65
|
$ sudo service docker.io restart
|
66
66
|
```
|
67
|
-
then reconnect to your shell session and try the following (without sudo
|
67
|
+
then reconnect to your shell session and try the following (without sudo):
|
68
68
|
```
|
69
69
|
$ docker images
|
70
70
|
```
|
@@ -79,7 +79,8 @@ Run the following command which will copy the `trusted_sandbox.yml` file into yo
|
|
79
79
|
$ trusted_sandbox install
|
80
80
|
```
|
81
81
|
|
82
|
-
Then follow the configuration instructions
|
82
|
+
Then follow the configuration instructions in this guide. Once you're done configuring, test your installation by
|
83
|
+
running:
|
83
84
|
```
|
84
85
|
$ trusted_sandbox test
|
85
86
|
```
|
@@ -92,8 +93,10 @@ $ docker run --rm vaharoni/trusted_sandbox:2.1.2.v1
|
|
92
93
|
```
|
93
94
|
If you see the message "you must provide a uid", then you are set.
|
94
95
|
|
95
|
-
|
96
|
-
|
96
|
+
Consider restarting the docker service if you receive an error that looks like this:
|
97
|
+
`Error response from daemon: Cannot start container 9f3bd8d72f0704980cedacc068261c38e280e7314916245550a6d48431ea8f11:
|
98
|
+
fork/exec /var/lib/docker/init/dockerinit-1.0.1: cannot allocate memory`
|
99
|
+
|
97
100
|
```
|
98
101
|
$ sudo service docker.io restart
|
99
102
|
```
|
@@ -107,6 +110,8 @@ Follow the instructions in the relevant sections of the configuration guide.
|
|
107
110
|
## Configuring Trusted Sandbox
|
108
111
|
|
109
112
|
Let's go over the sections of the YAML configuration file you created in step 3 above.
|
113
|
+
The top key of the YAML file is an environment string that can be set by `TRUSTED_SANDBOX_ENV` or `RAILS_ENV`
|
114
|
+
environment variables.
|
110
115
|
|
111
116
|
### Docker connection
|
112
117
|
|
@@ -114,25 +119,24 @@ Trusted Sandbox uses the `docker-api` gem to communicate with docker. `docker-ap
|
|
114
119
|
Linux host, and you should be good by omitting `docker_url` and `docker_cert_path` all together.
|
115
120
|
|
116
121
|
```ruby
|
117
|
-
|
118
|
-
|
122
|
+
# If omitted ENV['DOCKER_HOST'] is used. If it is not set, docker-api defaults are used.
|
123
|
+
docker_url: https://192.168.59.103:2376
|
119
124
|
|
120
|
-
|
121
|
-
|
125
|
+
# If omitted ENV['DOCKER_CERT_PATH'] is used. If it is not set, docker-api defaults are used.
|
126
|
+
docker_cert_path: ~/.boot2docker/certs/boot2docker-vm
|
122
127
|
```
|
123
128
|
If you need finer control of `docker-api` configuration, you can add a `docker_options` hash entry to the
|
124
129
|
YAML file which will override any configuration and passed through to `Docker.options`.
|
125
130
|
|
126
131
|
In addition, these docker-related configuration parameters can be used:
|
127
132
|
```ruby
|
128
|
-
|
129
|
-
|
130
|
-
# Optional authentication
|
131
|
-
docker_login:
|
132
|
-
user: my_user
|
133
|
-
password: my_password
|
134
|
-
email: email@email.com
|
133
|
+
docker_image_name: vaharoni/trusted_sandbox:2.1.2.v1
|
135
134
|
|
135
|
+
# Optional authentication
|
136
|
+
docker_login:
|
137
|
+
user: my_user
|
138
|
+
password: my_password
|
139
|
+
email: email@email.com
|
136
140
|
```
|
137
141
|
|
138
142
|
|
@@ -170,16 +174,16 @@ Note that controlling memory swap limits and user quotas requires additional ste
|
|
170
174
|
### Execution parameters
|
171
175
|
|
172
176
|
```ruby
|
173
|
-
|
174
|
-
|
175
|
-
|
177
|
+
# A temporary folder under which sub folders are created and mounted to containers.
|
178
|
+
# The code and args exchange between the host and containers is done via these sub folders.
|
179
|
+
host_code_root_path: tmp/code_dirs
|
176
180
|
|
177
|
-
|
178
|
-
|
179
|
-
|
181
|
+
# When set to true, the temporary sub folders will not be erased. This allows you to login
|
182
|
+
# to the container to troubleshoot issues as explained in the "Troubleshooting" section.
|
183
|
+
keep_code_folders: false
|
180
184
|
|
181
|
-
|
182
|
-
|
185
|
+
# A folder used by the UID-pool to handle locks.
|
186
|
+
host_uid_pool_lock_path: tmp/uid_pool_lock
|
183
187
|
```
|
184
188
|
|
185
189
|
### Limiting swap memory
|
@@ -228,7 +232,7 @@ $ mount -o remount
|
|
228
232
|
```
|
229
233
|
and reboot the server. Finally, run the following (quota is in KB):
|
230
234
|
```
|
231
|
-
$ trusted_sandbox set_quotas 10000
|
235
|
+
$ sudo trusted_sandbox set_quotas 10000
|
232
236
|
```
|
233
237
|
This sets ~10MB quota on all UIDs that are in the range defined by `pool_size` and `pool_min_uid` parameters. If you
|
234
238
|
change these configuration parameters you must rerun the `set_quotas` command.
|
@@ -405,6 +409,27 @@ following from your command line (adjust to your environment):
|
|
405
409
|
```
|
406
410
|
$ docker run -it -v /home/MyUser/my_app/tmp/code_dirs/20000:/home/sandbox/src --entrypoint="/bin/bash" my_user/my_image:my_tag -s
|
407
411
|
```
|
412
|
+
Note that this will also take out that specific UID from the UID-pool so that future runs don't remount the same folder.
|
413
|
+
To release that UID back to the pool, either reset that specific UID:
|
414
|
+
```
|
415
|
+
$ trusted_sandbox reset_uid_pool 20000
|
416
|
+
```
|
417
|
+
or reset all UIDs (make sure no other containers are running):
|
418
|
+
```
|
419
|
+
$ trusted_sandbox reset_uid_pool
|
420
|
+
```
|
421
|
+
|
422
|
+
To avoid containers from being deleted after they finish running, set:
|
423
|
+
```ruby
|
424
|
+
keep_container: true
|
425
|
+
```
|
426
|
+
This will allow you to view containers by running `docker ps -a` and then check out container logs
|
427
|
+
`docker logs CONTAINER_ID` or container parameters `docker inspect CONTAINER_ID`.
|
428
|
+
|
429
|
+
You will need to delete containers yourself by running `docker rm CONTAINER_ID`. To delete all of your containers do:
|
430
|
+
```
|
431
|
+
$ docker ps -aq | xargs docker rm
|
432
|
+
```
|
408
433
|
|
409
434
|
## Contributing
|
410
435
|
|
data/lib/trusted_sandbox/cli.rb
CHANGED
@@ -53,5 +53,14 @@ module TrustedSandbox
|
|
53
53
|
`setquota -u #{uid} 0 #{quota_kb} 0 0 /`
|
54
54
|
end
|
55
55
|
end
|
56
|
+
|
57
|
+
desc 'reset_uid_pool UID', 'Release the provided UID from the UID-pool. If the UID is omitted, all UIDs that were reserved will be released, effectively resetting the pool'
|
58
|
+
def reset_uid_pool(uid = nil)
|
59
|
+
if uid
|
60
|
+
TrustedSandbox.uid_pool.release uid
|
61
|
+
else
|
62
|
+
TrustedSandbox.uid_pool.release_all
|
63
|
+
end
|
64
|
+
end
|
56
65
|
end
|
57
66
|
end
|
@@ -1,11 +1,11 @@
|
|
1
1
|
development:
|
2
|
-
# # Optional login information
|
2
|
+
# # Optional login information for Docker Hub
|
3
3
|
# docker_login:
|
4
4
|
# user: my_user
|
5
5
|
# password: my_password
|
6
6
|
# email: email@email.com
|
7
7
|
|
8
|
-
# # For a linux host these can remain
|
8
|
+
# # For a linux host these can typically remain commented
|
9
9
|
# docker_url: https://192.168.59.103:2376
|
10
10
|
# docker_cert_path: ~/.boot2docker/certs/boot2docker-vm
|
11
11
|
|
@@ -24,10 +24,13 @@ development:
|
|
24
24
|
|
25
25
|
host_code_root_path: tmp/code_dirs
|
26
26
|
host_uid_pool_lock_path: tmp/uid_pool_lock
|
27
|
-
keep_code_folders: false
|
28
27
|
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
28
|
+
keep_code_folders: false
|
29
|
+
keep_containers: false
|
30
|
+
|
31
|
+
# # It's very unlikely you'll need to change these
|
32
|
+
# pool_size: 5000
|
33
|
+
# pool_min_uid: 20000
|
34
|
+
# pool_timeout: 3
|
35
|
+
# pool_retries: 5
|
36
|
+
# pool_delay: 0.5
|
@@ -30,7 +30,7 @@ module TrustedSandbox
|
|
30
30
|
:memory_limit, :memory_swap_limit, :cpu_shares, :docker_image_name,
|
31
31
|
:execution_timeout, :network_access, :enable_swap_limit, :enable_quotas,
|
32
32
|
:container_code_path, :container_input_filename, :container_output_filename,
|
33
|
-
:keep_code_folders
|
33
|
+
:keep_code_folders, :keep_containers
|
34
34
|
|
35
35
|
attr_reader_with_fallback :host_code_root_path, :host_uid_pool_lock_path
|
36
36
|
|
@@ -40,7 +40,7 @@ module TrustedSandbox
|
|
40
40
|
end
|
41
41
|
|
42
42
|
def release_uid
|
43
|
-
uid_pool.release(@uid) if @uid
|
43
|
+
uid_pool.release(@uid) if @uid and !config.keep_code_folders
|
44
44
|
end
|
45
45
|
|
46
46
|
def code_dir_path
|
@@ -86,7 +86,7 @@ module TrustedSandbox
|
|
86
86
|
end
|
87
87
|
|
88
88
|
def remove_container
|
89
|
-
return unless @container
|
89
|
+
return unless @container and !config.keep_containers
|
90
90
|
@container.delete force: true
|
91
91
|
end
|
92
92
|
|