LiquidCode/LiquidCode.Tester
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix privileges

Browse Source
This commit is contained in:
prixod
2025-12-01 02:26:17 +04:00
parent a6c56ecb22
commit bd2ed7716c
2 changed files with 8 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
compose.yaml
View File

@@ -26,6 +26,7 @@
worker: worker:
image: liquidcode-tester-worker:latest image: liquidcode-tester-worker:latest
privileged: true
container_name: liquidcode-tester-worker container_name: liquidcode-tester-worker
build: build:
context: . context: .
@@ -36,16 +37,9 @@
- ASPNETCORE_ENVIRONMENT=Development - ASPNETCORE_ENVIRONMENT=Development
networks: networks:
- liquidcode-network - liquidcode-network
# Security hardening for Worker # Mount cgroup for Isolate sandbox
security_opt: volumes:
- no-new-privileges:true - /sys/fs/cgroup:/sys/fs/cgroup:rw
- apparmor=docker-default
cap_drop:
- ALL
cap_add:
- SYS_ADMIN # Required for Isolate namespaces
- SETUID # Required for Isolate to change user context
- SETGID # Required for Isolate to change group context
# Temporary filesystem for compilation and testing # Temporary filesystem for compilation and testing
tmpfs: tmpfs:
- /tmp:exec,size=4G - /tmp:exec,size=4G

12
src/LiquidCode.Tester.Worker/Dockerfile
View File

@@ -82,10 +82,8 @@ RUN apt-get update && \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# Create unprivileged user for running the worker service # Create unprivileged user for running the worker service
RUN useradd -m -u 1001 -s /bin/bash workeruser && \ RUN mkdir -p /var/local/lib/isolate && \
mkdir -p /var/local/lib/isolate && \ chmod 755 /var/local/lib/isolate
chmod 755 /var/local/lib/isolate && \
chown -R workeruser:workeruser /var/local/lib/isolate
# Configure isolate directories and control-group root # Configure isolate directories and control-group root
RUN printf "box_root = /var/local/lib/isolate\nlock_root = /run/isolate/locks\ncg_root = /sys/fs/cgroup\nfirst_uid = 60000\nfirst_gid = 60000\nnum_boxes = 1000\n" > /usr/local/etc/isolate.conf && \ RUN printf "box_root = /var/local/lib/isolate\nlock_root = /run/isolate/locks\ncg_root = /sys/fs/cgroup\nfirst_uid = 60000\nfirst_gid = 60000\nnum_boxes = 1000\n" > /usr/local/etc/isolate.conf && \
@@ -96,13 +94,11 @@ RUN printf "box_root = /var/local/lib/isolate\nlock_root = /run/isolate/locks\nc
COPY --from=publish /app/publish . COPY --from=publish /app/publish .
# Create temp directory for compilation and testing with proper permissions # Create temp directory for compilation and testing with proper permissions
RUN mkdir -p /tmp/testing && \ RUN mkdir -p /tmp/testing
chown -R workeruser:workeruser /tmp/testing && \
chown -R workeruser:workeruser /app
ENV ASPNETCORE_URLS=http://+:8080 ENV ASPNETCORE_URLS=http://+:8080
# Switch to unprivileged user # Switch to unprivileged user
USER workeruser #USER workeruser
ENTRYPOINT ["dotnet", "LiquidCode.Tester.Worker.dll"] ENTRYPOINT ["dotnet", "LiquidCode.Tester.Worker.dll"]