blob: 124d56e043a41fe8c3865f439c1afcc0424d0b7f [file] [log] [blame] [raw]
name: "compiler explorer compilation/tool sandbox"
mode: ONCE
hostname: "ce"
time_limit: 0
log_level: FATAL
rlimit_as_type: INF
rlimit_cpu_type: SOFT
rlimit_fsize: 1024 # 1GB
rlimit_nofile: 150
uidmap {
inside_id: "10240"
}
gidmap {
inside_id: "10240"
}
# must run following as root during system startup
# cgcreate -a ubuntu:ubuntu -g memory,pids,cpu,net_cls:ce-compile
cgroup_mem_parent: "ce-compile"
cgroup_pids_parent: "ce-compile"
cgroup_net_cls_parent: "ce-compile"
cgroup_cpu_parent: "ce-compile"
cgroup_mem_max: 1342177280 # 1.25 GiB
cgroup_pids_max: 64 # go uses a bunch (probably one per CPU, on my desktop)
cgroup_cpu_ms_per_sec: 1000
mount {
src: "/bin"
dst: "/bin"
is_bind: true
}
mount {
src: "/lib"
dst: "/lib"
is_bind: true
}
mount {
src: "/usr"
dst: "/usr"
is_bind: true
}
mount {
src: "/etc/localtime"
dst: "/etc/localtime"
is_bind: true
}
mount {
src_content: "nobody:x:65534:65534:Not root:/root:/none\nce:x:10240:10240:Not a real account:/app:/bin/bash"
dst: "/etc/passwd"
is_bind: true
}
mount {
src_content: "nogroup:x:65534:\n\nce:x:10240:"
dst: "/etc/group"
is_bind: true
}
mount {
# this password hash is here intentionally, and is not actually used for anything
src_content: "ce:$1$rockyou$hty8SH9lK4mcCQXKENxaa1:18723:0:99999:7:::"
dst: "/etc/shadow"
is_bind: true
}
# Mounting ld.so.conf* is needed to get the magic that lets pthread be found by libc.
# See https://github.com/compiler-explorer/compiler-explorer/issues/2611
mount {
src: "/etc/ld.so.conf.d"
dst: "/etc/ld.so.conf.d"
is_bind: true
}
mount {
src: "/etc/ld.so.conf"
dst: "/etc/ld.so.conf"
is_bind: true
}
mount {
src: "/lib64"
dst: "/lib64"
is_bind: true
mandatory: false
}
mount {
src: "/lib32"
dst: "/lib32"
is_bind: true
mandatory: false
}
mount {
dst: "/tmp"
fstype: "tmpfs"
options: "size=134217728,nr_inodes=1000" # 128MiB
rw: true
noexec: true
nodev: true
nosuid: true
}
mount {
src: "/dev/null"
dst: "/dev/null"
rw: true
is_bind: true
}
mount {
src: "/dev/zero"
dst: "/dev/zero"
is_bind: true
}
mount {
src: "/dev/urandom"
dst: "/dev/random"
is_bind: true
}
mount {
src: "/dev/urandom"
dst: "/dev/urandom"
is_bind: true
}
mount {
dst: "/proc"
fstype: "proc"
}
mount {
src: "/opt/compiler-explorer"
dst: "/opt/compiler-explorer"
is_bind: true
}
# Needed for icc
mount {
src: "/opt/intel"
dst: "/opt/intel"
is_bind: true
mandatory: false
}
# Needed for ARM non-free compilers
mount {
src: "/opt/arm"
dst: "/opt/arm"
is_bind: true
mandatory: false
}
# Needed for things with shim scripts e.g. Python
mount {
src: "/infra/.deploy/etc/scripts"
dst: "/infra/.deploy/etc/scripts"
is_bind: true
mandatory: false
}