π Security
ALWAYS keep in mind that ranna enables ARBITRARY CODE EXECUTION on your server environment and Docker containers are NO sandboxes!
There are various attack vectors you need to keep in mind when running ranna on your environment!
Here you can find more resources about this, if you want to.
- https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout
- https://systemadminspro.com/docker-container-breakout
- https://www.bmc.com/blogs/docker-security-best-practices
First of all, you should use a separate, isolated server to deploy your ranna instance on. This server should not host or store any credentials to other services as well as no confidential or personal data or configuration.
Also, it is recommended to use a reverse-proxy in front of your ranna instance(s) to limit and/or authorize incoming requests. The ranna.zekro.de demo environment is using traefik as reverse-proxy in combination with its RateLimit middleware for the public instance and the ForwardAuth middleware in combination with gatekeeper for the private instance.
Here you can find the current deployment information of the ranna.zekro.de demo instance.
It is highly recommended to use an application kernel like gVisor, for example. Follow these steps to install gVisor and to enable the runsc runtime for Docker. After that, you can specify runsc as custom runtime for ranna sandboxes (see below).
When deployed via Docker, you can simply use environment variables to configure ranna. Otherwise, you can also use a config.yaml or config.json file next to the binary, if you want to.
The most important part is to properly configure the sandbox provider.
After installation of an application kernel like described above, you can now specify the runtime to be used for containers created by ranna.
SANDBOX.RUNTIME="runsc"You should also set a memory limit for your ranna containers. The default limit, when nothing else is specified, is set to 100MB per container.
SANDBOX.MEMORY="100M"There is also an option which limits the maximum amount of data which can be streamed from the containers StdOut and StdErr into the application memory to be served to the request response. This value is defaultly set to 50M. This value counts for each single buffer. So 50M for StdOut and 50M for StdErr.
SANDBOX.STREAMBUFFERCAT="50M"Also, you should specify a timeout after which a container will be killed and resources will be cleaned up. The numeral value specifies the runtime in seconds and is set to 20 by default.
SANDBOX.TIMEOUTSECONDS="20"By default, networking inside the ranna containers is disabled. If you really want to, you can enable it.
β ATTENTION: Enabling networking inside ranna containers is a high security risk and should not be enabled for public instances!
SANDBOX.ENABLENETWORKING="true"If you see this warning below, networking inside ranna containers is enabled! If you are not intended to to so, disable it!
You can specify a max output length for the POST /exec endpoint response. This is a further security step to ensure control over the network traffic. By default, it is limited to 1M.
API.MAYOUTPUTLEN="1M"