woj/woj-server
1
0
Fork 0
Code Issues 2 Pull Requests Packages Projects Releases Wiki Activity

chore: drop root in container

Browse Source
This commit is contained in:
Paul Pan 2024-03-14 17:27:34 +08:00
parent 594c09b0a7
commit 99aec47c76
Signed by: Paul
GPG Key ID: D639BDF5BA578AF4
6 changed files with 49 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/container.yml vendored
View File

@ -13,7 +13,6 @@ jobs:
sudo rm -rf /usr/local/lib/android sudo rm -rf /usr/local/lib/android
sudo rm -rf /opt/ghc sudo rm -rf /opt/ghc
sudo rm -rf /opt/hostedtoolcache/CodeQL sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo docker image prune --all --force
sudo df -h sudo df -h
- uses: actions/checkout@v4 - uses: actions/checkout@v4
# reference: https://github.com/containers/podman/discussions/17868 # reference: https://github.com/containers/podman/discussions/17868
@ -28,7 +27,7 @@ jobs:
path: | path: |
~/.local/share/containers ~/.local/share/containers
~/.config/containers ~/.config/containers
key: ${{ runner.os }}-${{ hashFiles('**/*.Dockerfile', 'build_image.sh', 'VERSION') }} key: ${{ runner.os }}-${{ hashFiles('**/*.Dockerfile', 'build_image.sh', 'docker-entrypoint.sh', 'VERSION') }}
- name: Login to Container Registry - name: Login to Container Registry
uses: redhat-actions/podman-login@v1 uses: redhat-actions/podman-login@v1
with: with:

5
Runner.Dockerfile
View File

@ -15,7 +15,7 @@ FROM docker.io/library/debian:bookworm-slim
WORKDIR /app WORKDIR /app
RUN apt-get update && apt-get upgrade -y \ RUN apt-get update && apt-get upgrade -y \
&& apt-get install -y ca-certificates libnl-route-3-200 libprotobuf32 tini \ && apt-get install -y ca-certificates gosu libnl-route-3-200 libprotobuf32 tini \
&& apt-get clean && rm -rf /var/lib/apt/lists && apt-get clean && rm -rf /var/lib/apt/lists
# rootfs # rootfs
@ -31,5 +31,8 @@ COPY --from=base /builder/config.docker.yaml /app
COPY --from=base /builder/docker-entrypoint.sh /app COPY --from=base /builder/docker-entrypoint.sh /app
COPY --from=base /builder/woj /app COPY --from=base /builder/woj /app
# tell entrypoint to setup runner env
ENV RUNNER_IMAGE=1
# reap zombies # reap zombies
ENTRYPOINT ["/usr/bin/tini", "/app/docker-entrypoint.sh"] ENTRYPOINT ["/usr/bin/tini", "/app/docker-entrypoint.sh"]

2
Server.Dockerfile
View File

@ -12,7 +12,7 @@ RUN find /app -type f -name "*.map" -delete
FROM docker.io/library/alpine FROM docker.io/library/alpine
WORKDIR /app WORKDIR /app
RUN apk --no-cache add tzdata ca-certificates bash RUN apk --no-cache add tzdata ca-certificates bash su-exec
COPY --from=base /builder/config.docker.yaml /app COPY --from=base /builder/config.docker.yaml /app
COPY --from=base /builder/docker-entrypoint.sh /app COPY --from=base /builder/docker-entrypoint.sh /app

6
docker-compose.yml
View File

@ -1,6 +1,6 @@
services: services:
server: server:
image: git.0x7f.app/woj/woj-server:1.3.1-dev image: quay.io/ldcraft/woj-server:1.3.1-dev
restart: unless-stopped restart: unless-stopped
healthcheck: healthcheck:
test: [ "CMD", "wget", "-q", "-O", "/dev/null", "http://127.0.0.1:8000/health" ] test: [ "CMD", "wget", "-q", "-O", "/dev/null", "http://127.0.0.1:8000/health" ]
@ -27,9 +27,10 @@ services:
- "8000:8000" - "8000:8000"
runner: runner:
image: git.0x7f.app/woj/woj-runner:1.3.1-dev image: quay.io/ldcraft/woj-runner:1.3.1-dev
restart: unless-stopped restart: unless-stopped
command: runner command: runner
# moby/moby#42040, enable privileged option to make cgroup2 mount as rw
privileged: true privileged: true
cap_add: cap_add:
- SYS_ADMIN - SYS_ADMIN
@ -40,7 +41,6 @@ services:
- STORAGE_SECRET_KEY=secret_key - STORAGE_SECRET_KEY=secret_key
- STORAGE_BUCKET=woj - STORAGE_BUCKET=woj
- DEVELOPMENT=true - DEVELOPMENT=true
- SETUP_CGROUP=true
volumes: volumes:
- runner:/app/resource/runner/user - runner:/app/resource/runner/user
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro

42
docker-entrypoint.sh
View File

@ -136,11 +136,45 @@ setup_cgroups() {
sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/nsjail/cgroup.controllers > /sys/fs/cgroup/nsjail/cgroup.subtree_control sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/nsjail/cgroup.controllers > /sys/fs/cgroup/nsjail/cgroup.subtree_control
} }
if [ -n "$SETUP_CGROUP" ]; then setup_user_runner() {
setup_cgroups # runner use debian as base image
fi groupadd --gid 1000 woj || true
useradd --gid 1000 --uid 1000 woj || true
# runner data
chown -R woj:woj /app/resource/runner/problem
chown -R woj:woj /app/resource/runner/tmp
chown -R woj:woj /app/resource/runner/user
# rootfs mount path
chown -R woj:woj /app/resource/runner/framework/rootfs/full/woj
chown -R woj:woj /app/resource/runner/framework/rootfs/run/woj
# cgroups
chown -R woj:woj /sys/fs/cgroup/nsjail
chown -R woj:root /sys/fs/cgroup/cgroup.procs
# create run dir: nsjail will try to use it
mkdir -p /run/user/1000
chown -R woj:woj /run/user/1000
chmod 700 /run/user/1000
}
setup_user_server() {
# server use alpine as base image
addgroup -g 1000 -S woj || true
adduser -u 1000 -S -G woj woj || true
}
setup_user() {
if [ -n "$RUNNER_IMAGE" ]; then
setup_user_runner
else
setup_user_server
fi
}
if [ -n "$RUNNER_IMAGE" ]; then setup_cgroups; fi
generate_config generate_config
setup_user
log_info "starting woj" log_info "starting woj"
exec /app/woj "$@" if [ -n "$RUNNER_IMAGE" ]; then EXEC=gosu; else EXEC=su-exec; fi
exec $EXEC woj /app/woj "$@"

4
internal/service/runner/nsjail.go
View File

@ -113,9 +113,9 @@ func (s *service) JailRun(arg *RunArgs) (RuntimeStatus, error) {
// build args // build args
args := []string{ args := []string{
"--quiet", "--really_quiet",
"--use_cgroupv2", "--use_cgroupv2",
"--disable_rlimits", // Rust requires this "--disable_rlimits",
"-m", "none:/tmp:tmpfs:size=67108864", // 64MB tmpfs "-m", "none:/tmp:tmpfs:size=67108864", // 64MB tmpfs
"-E", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "-E", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
// following envs must sync with resource/runner // following envs must sync with resource/runner