etc/nsjail/execute.cfg - compiler-explorer - Rivoreo Source Code Repositories

 name: "compiler explorer compilation/tool sandbox"

 mode: ONCE
 hostname: "ce"

 time_limit: 0

 log_level: FATAL

 rlimit_as_type: INF
 rlimit_cpu_type: SOFT
 rlimit_fsize: 1024 # 1GB
 rlimit_nofile: 100

 uidmap {
     inside_id: "10240"
 }

 gidmap {
     inside_id: "10240"
 }

 # must run following as root during system startup
 # cgcreate -a ubuntu:ubuntu -g memory,pids,cpu,net_cls:ce-compile
 cgroup_mem_parent: "ce-compile"
 cgroup_pids_parent: "ce-compile"
 cgroup_net_cls_parent: "ce-compile"
 cgroup_cpu_parent: "ce-compile"

 cgroup_mem_max: 1342177280 # 1.25 GiB
 cgroup_pids_max: 64  # go uses a bunch (probably one per CPU, on my desktop)
 cgroup_cpu_ms_per_sec: 1000

 mount {
     src: "/bin"
     dst: "/bin"
     is_bind: true
 }

 mount {
     src: "/lib"
     dst: "/lib"
     is_bind: true
 }

 mount {
     src: "/usr"
     dst: "/usr"
     is_bind: true
 }

 mount {
     src: "/etc/localtime"
     dst: "/etc/localtime"
     is_bind: true
 }
 mount {
     src_content: "nobody:x:65534:65534:Not root:/root:/none\nce:x:10240:10240:Not a real account:/app:/bin/bash"
     dst: "/etc/passwd"
     is_bind: true
 }
 mount {
     src_content: "nogroup:x:65534:\n\nce:x:10240:"
     dst: "/etc/group"
     is_bind: true
 }
 mount {
     # this password hash is here intentionally, and is not actually used for anything
     src_content: "ce:$1$rockyou$hty8SH9lK4mcCQXKENxaa1:18723:0:99999:7:::"
     dst: "/etc/shadow"
     is_bind: true
 }
 # Mounting ld.so.conf* is needed to get the magic that lets pthread be found by libc.
 # See https://github.com/compiler-explorer/compiler-explorer/issues/2611
 mount {
     src: "/etc/ld.so.conf.d"
     dst: "/etc/ld.so.conf.d"
     is_bind: true
 }
 mount {
     src: "/etc/ld.so.conf"
     dst: "/etc/ld.so.conf"
     is_bind: true
 }

 mount {
     src: "/lib64"
     dst: "/lib64"
     is_bind: true
     mandatory: false
 }

 mount {
     src: "/lib32"
     dst: "/lib32"
     is_bind: true
     mandatory: false
 }

 mount {
     dst: "/tmp"
     fstype: "tmpfs"
     options: "size=134217728,nr_inodes=1000" # 128MiB
     rw: true
     noexec: true
     nodev: true
     nosuid: true
 }

 mount {
     src: "/dev/null"
     dst: "/dev/null"
     rw: true
     is_bind: true
 }

 mount {
     src: "/dev/zero"
     dst: "/dev/zero"
     is_bind: true
 }

 mount {
     src: "/dev/urandom"
     dst: "/dev/random"
     is_bind: true
 }

 mount {
     src: "/dev/urandom"
     dst: "/dev/urandom"
     is_bind: true
 }

 mount {
     dst: "/proc"
     fstype: "proc"
 }

 mount {
     src: "/opt/compiler-explorer"
     dst: "/opt/compiler-explorer"
     is_bind: true
 }

 # Needed for icc
 mount {
     src: "/opt/intel"
     dst: "/opt/intel"
     is_bind: true
     mandatory: false
 }

 # Needed for ARM non-free compilers
 mount {
     src: "/opt/arm"
     dst: "/opt/arm"
     is_bind: true
     mandatory: false
 }

 # Needed for things with shim scripts e.g. Python
 mount {
     src: "/infra/.deploy/etc/scripts"
     dst: "/infra/.deploy/etc/scripts"
     is_bind: true
     mandatory: false
 }
	name: "compiler explorer compilation/tool sandbox"

	mode: ONCE
	hostname: "ce"

	time_limit: 0

	log_level: FATAL

	rlimit_as_type: INF
	rlimit_cpu_type: SOFT
	rlimit_fsize: 1024 # 1GB
	rlimit_nofile: 100

	uidmap {
	inside_id: "10240"
	}

	gidmap {
	inside_id: "10240"
	}

	# must run following as root during system startup
	# cgcreate -a ubuntu:ubuntu -g memory,pids,cpu,net_cls:ce-compile
	cgroup_mem_parent: "ce-compile"
	cgroup_pids_parent: "ce-compile"
	cgroup_net_cls_parent: "ce-compile"
	cgroup_cpu_parent: "ce-compile"

	cgroup_mem_max: 1342177280 # 1.25 GiB
	cgroup_pids_max: 64 # go uses a bunch (probably one per CPU, on my desktop)
	cgroup_cpu_ms_per_sec: 1000

	mount {
	src: "/bin"
	dst: "/bin"
	is_bind: true
	}

	mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
	}

	mount {
	src: "/usr"
	dst: "/usr"
	is_bind: true
	}

	mount {
	src: "/etc/localtime"
	dst: "/etc/localtime"
	is_bind: true
	}
	mount {
	src_content: "nobody:x:65534:65534:Not root:/root:/none\nce:x:10240:10240:Not a real account:/app:/bin/bash"
	dst: "/etc/passwd"
	is_bind: true
	}
	mount {
	src_content: "nogroup:x:65534:\n\nce:x:10240:"
	dst: "/etc/group"
	is_bind: true
	}
	mount {
	# this password hash is here intentionally, and is not actually used for anything
	src_content: "ce:$1$rockyou$hty8SH9lK4mcCQXKENxaa1:18723:0:99999:7:::"
	dst: "/etc/shadow"
	is_bind: true
	}
	# Mounting ld.so.conf* is needed to get the magic that lets pthread be found by libc.
	# See https://github.com/compiler-explorer/compiler-explorer/issues/2611
	mount {
	src: "/etc/ld.so.conf.d"
	dst: "/etc/ld.so.conf.d"
	is_bind: true
	}
	mount {
	src: "/etc/ld.so.conf"
	dst: "/etc/ld.so.conf"
	is_bind: true
	}

	mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	mandatory: false
	}

	mount {
	src: "/lib32"
	dst: "/lib32"
	is_bind: true
	mandatory: false
	}

	mount {
	dst: "/tmp"
	fstype: "tmpfs"
	options: "size=134217728,nr_inodes=1000" # 128MiB
	rw: true
	noexec: true
	nodev: true
	nosuid: true
	}

	mount {
	src: "/dev/null"
	dst: "/dev/null"
	rw: true
	is_bind: true
	}

	mount {
	src: "/dev/zero"
	dst: "/dev/zero"
	is_bind: true
	}

	mount {
	src: "/dev/urandom"
	dst: "/dev/random"
	is_bind: true
	}

	mount {
	src: "/dev/urandom"
	dst: "/dev/urandom"
	is_bind: true
	}

	mount {
	dst: "/proc"
	fstype: "proc"
	}

	mount {
	src: "/opt/compiler-explorer"
	dst: "/opt/compiler-explorer"
	is_bind: true
	}

	# Needed for icc
	mount {
	src: "/opt/intel"
	dst: "/opt/intel"
	is_bind: true
	mandatory: false
	}

	# Needed for ARM non-free compilers
	mount {
	src: "/opt/arm"
	dst: "/opt/arm"
	is_bind: true
	mandatory: false
	}

	# Needed for things with shim scripts e.g. Python
	mount {
	src: "/infra/.deploy/etc/scripts"
	dst: "/infra/.deploy/etc/scripts"
	is_bind: true
	mandatory: false
	}