| name: "compiler explorer compilation/tool sandbox" |
| |
| mode: ONCE |
| hostname: "ce" |
| |
| time_limit: 0 |
| |
| log_level: FATAL |
| |
| rlimit_as_type: INF |
| rlimit_cpu_type: SOFT |
| rlimit_fsize: 1024 # 1GB |
| rlimit_nofile: 100 |
| |
| uidmap { |
| inside_id: "10240" |
| } |
| |
| gidmap { |
| inside_id: "10240" |
| } |
| |
| # must run following as root during system startup |
| # cgcreate -a ubuntu:ubuntu -g memory,pids,cpu,net_cls:ce-compile |
| cgroup_mem_parent: "ce-compile" |
| cgroup_pids_parent: "ce-compile" |
| cgroup_net_cls_parent: "ce-compile" |
| cgroup_cpu_parent: "ce-compile" |
| |
| cgroup_mem_max: 1342177280 # 1.25 GiB |
| cgroup_pids_max: 64 # go uses a bunch (probably one per CPU, on my desktop) |
| cgroup_cpu_ms_per_sec: 1000 |
| |
| mount { |
| src: "/bin" |
| dst: "/bin" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/lib" |
| dst: "/lib" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/usr" |
| dst: "/usr" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/etc/localtime" |
| dst: "/etc/localtime" |
| is_bind: true |
| } |
| mount { |
| src_content: "nobody:x:65534:65534:Not root:/root:/none\nce:x:10240:10240:Not a real account:/app:/bin/bash" |
| dst: "/etc/passwd" |
| is_bind: true |
| } |
| mount { |
| src_content: "nogroup:x:65534:\n\nce:x:10240:" |
| dst: "/etc/group" |
| is_bind: true |
| } |
| mount { |
| # this password hash is here intentionally, and is not actually used for anything |
| src_content: "ce:$1$rockyou$hty8SH9lK4mcCQXKENxaa1:18723:0:99999:7:::" |
| dst: "/etc/shadow" |
| is_bind: true |
| } |
| # Mounting ld.so.conf* is needed to get the magic that lets pthread be found by libc. |
| # See https://github.com/compiler-explorer/compiler-explorer/issues/2611 |
| mount { |
| src: "/etc/ld.so.conf.d" |
| dst: "/etc/ld.so.conf.d" |
| is_bind: true |
| } |
| mount { |
| src: "/etc/ld.so.conf" |
| dst: "/etc/ld.so.conf" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/lib64" |
| dst: "/lib64" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| src: "/lib32" |
| dst: "/lib32" |
| is_bind: true |
| mandatory: false |
| } |
| |
| mount { |
| dst: "/tmp" |
| fstype: "tmpfs" |
| options: "size=134217728,nr_inodes=1000" # 128MiB |
| rw: true |
| noexec: true |
| nodev: true |
| nosuid: true |
| } |
| |
| mount { |
| src: "/dev/null" |
| dst: "/dev/null" |
| rw: true |
| is_bind: true |
| } |
| |
| mount { |
| src: "/dev/zero" |
| dst: "/dev/zero" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/dev/urandom" |
| dst: "/dev/random" |
| is_bind: true |
| } |
| |
| mount { |
| src: "/dev/urandom" |
| dst: "/dev/urandom" |
| is_bind: true |
| } |
| |
| mount { |
| dst: "/proc" |
| fstype: "proc" |
| } |
| |
| mount { |
| src: "/opt/compiler-explorer" |
| dst: "/opt/compiler-explorer" |
| is_bind: true |
| } |
| |
| # Needed for icc |
| mount { |
| src: "/opt/intel" |
| dst: "/opt/intel" |
| is_bind: true |
| mandatory: false |
| } |
| |
| # Needed for ARM non-free compilers |
| mount { |
| src: "/opt/arm" |
| dst: "/opt/arm" |
| is_bind: true |
| mandatory: false |
| } |
| |
| # Needed for things with shim scripts e.g. Python |
| mount { |
| src: "/infra/.deploy/etc/scripts" |
| dst: "/infra/.deploy/etc/scripts" |
| is_bind: true |
| mandatory: false |
| } |