Merge pull request #127 from python-discord/feat/nsjail/102/cgroupv2

python-discord · Dec 26, 2021 · e5c07ed · e5c07ed
2 parents 2575966 + efb4b0b
commit e5c07ed
Show file tree

Hide file tree

Showing 13 changed files with 378 additions and 1,060 deletions.
diff --git a/.github/workflows/lint-test-build-push.yaml b/.github/workflows/lint-test-build-push.yaml
@@ -9,7 +9,16 @@ on:
 
 jobs:
   lint-test-build-push:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-20.04, self-hosted]
+        include:
+          - os: ubuntu-20.04
+            full: true
+          - os: self-hosted
+            full: false # Only run tests.
+
     env:
       # Determine whether or not we should build the
       # final production image and push it to GHCR.
@@ -88,6 +97,7 @@ jobs:
 
       # Required by pre-commit.
       - name: Install git
+        if: matrix.full
         run: >-
           docker exec snekbox_dev /bin/bash -c
           'apt-get -y update && apt-get install -y git=1:2.20.*'
@@ -96,12 +106,13 @@ jobs:
       # Skip the flake8 hook because the following step will run it.
       - name: Run pre-commit hooks
         id: run-pre-commit-hooks
+        if: matrix.full
         run: >-
           docker exec snekbox_dev /bin/bash -c
           'PIP_USER=0 SKIP=flake8 pre-commit run --all-files'
 
       - name: Show pre-commit logs
-        if: always() && steps.run-pre-commit-hooks.outcome != 'success'
+        if: matrix.full && always() && steps.run-pre-commit-hooks.outcome != 'success'
         run: >-
           docker exec snekbox_dev /bin/bash -c
           'cat /root/.cache/pre-commit/pre-commit.log'
@@ -112,6 +123,7 @@ jobs:
       # up on this output to generate nice annotations to indicate what went
       # wrong where.
       - name: Run linter
+        if: matrix.full
         run: >-
           docker exec snekbox_dev /bin/bash -c
           'flake8 --format
@@ -136,7 +148,7 @@ jobs:
       # Note: This step runs even if the test step failed to make
       # sure we process the coverage reports.
       - name: Setup python
-        if: always() && steps.run_tests.outputs.started == 'true'
+        if: matrix.os != 'self-hosted' && always() && steps.run_tests.outputs.started == 'true'
         id: python
         uses: actions/setup-python@v2
         with:
@@ -166,7 +178,7 @@ jobs:
       # both with the short commit SHA and 'latest'. This step should use
       # the local build cache of the current run.
       - name: Build final image
-        if: env.production_build == 'true'
+        if: matrix.full && env.production_build == 'true'
         uses: docker/build-push-action@v2
         with:
           context: .
@@ -185,7 +197,7 @@ jobs:
 
       # Deploy to Kubernetes
       - name: Authenticate with Kubernetes
-        if: env.production_build == 'true'
+        if: matrix.full && env.production_build == 'true'
         uses: azure/k8s-set-context@v1
         with:
           method: kubeconfig
@@ -202,7 +214,7 @@ jobs:
 
       # Push the base image to GHCR, with an inline cache manifest
       - name: Push base image
-        if: env.production_build == 'true'
+        if: matrix.full && env.production_build == 'true'
         uses: docker/build-push-action@v2
         with:
           context: .
@@ -216,7 +228,7 @@ jobs:
 
       # Push the venv image to GHCR, with an inline cache manifest
       - name: Push venv image
-        if: env.production_build == 'true'
+        if: matrix.full && env.production_build == 'true'
         uses: docker/build-push-action@v2
         with:
           context: .

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,7 @@
 FROM python:3.10-slim-buster as builder
+
+WORKDIR /nsjail
+
 RUN apt-get -y update \
     && apt-get install -y \
         bison=2:3.3.* \
@@ -11,12 +14,8 @@ RUN apt-get -y update \
         make=4.2.* \
         pkg-config=0.29-6 \
         protobuf-compiler=3.6.*
-RUN git clone \
-    -b '2.9' \
-    --single-branch \
-    --depth 1 \
-    https://github.com/google/nsjail.git /nsjail
-WORKDIR /nsjail
+RUN git clone -b master --single-branch https://github.com/google/nsjail.git . \
+    && git checkout dccf911fd2659e7b08ce9507c25b2b38ec2c5800
 RUN make
 
 # ------------------------------------------------------------------------------
@@ -25,6 +24,7 @@ FROM python:3.10-slim-buster as base
 # Everything will be a user install to allow snekbox's dependencies to be kept
 # separate from the packages exposed during eval.
 ENV PATH=/root/.local/bin:$PATH \
+    PIP_DISABLE_PIP_VERSION_CHECK=1 \
     PIP_NO_CACHE_DIR=false \
     PIP_USER=1 \
     PIPENV_DONT_USE_PYENV=1 \

diff --git a/Pipfile b/Pipfile
@@ -40,9 +40,10 @@ precommit = "pre-commit install"
 # Testing
 report = "coverage report"
 # Fix ownership of the coverage file even if tests fail & preserve exit code
+# Install numpy because a test checks if it's importable
 test = """
     docker-compose run --entrypoint /bin/bash --rm snekbox -c \
-    'coverage run -m unittest; e=$?; chown --reference=. .coverage; exit $e'
+    'env PYTHONUSERBASE=/snekbox/user_base pip install numpy && coverage run -m unittest; e=$?; chown --reference=. .coverage; exit $e'
 """
 
 # Docker

diff --git a/config/snekbox.cfg b/config/snekbox.cfg
@@ -105,6 +105,7 @@ mount {
 }
 
 cgroup_mem_max: 52428800
+cgroup_mem_swap_max: 0
 cgroup_mem_mount: "/sys/fs/cgroup/memory"
 
 cgroup_pids_max: 5