Improve isolation, execution limits and execution metrics by using Isolate (#683)

* Initial: use Isolate for isolation * Continue: use Isolate for isolation * Bug fixes * timeout is wall-time for backward compatibility * Documentation, signal names, reported time in ms * Report memory usage in bytes * Add privileged flags where needed * Remove tmpfs * Remove tmpfs * Fix package installation * Fix path, fix Zig: CRLF -> LF
2025-06-07 18:56:26 +02:00 · 2024-09-08 04:58:40 +03:00 · 2024-09-08 04:58:40 +03:00 · bd42fe3357
commit bd42fe3357
parent 59338eee33
22 changed files with 508 additions and 454 deletions
--- a/api/Dockerfile
+++ b/api/Dockerfile
@ -1,20 +1,29 @@
-FROM node:15.10.0-buster-slim
+FROM buildpack-deps:bookworm AS isolate
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends git libcap-dev && \
+    rm -rf /var/lib/apt/lists/* && \
+    git clone https://github.com/envicutor/isolate.git /tmp/isolate/ && \
+    cd /tmp/isolate && \
+    git checkout af6db68042c3aa0ded80787fbb78bc0846ea2114 && \
+    make -j$(nproc) install && \
+    rm -rf /tmp/*
+
+FROM node:20-bookworm-slim

 ENV DEBIAN_FRONTEND=noninteractive

 RUN dpkg-reconfigure -p critical dash
-RUN for i in $(seq 1001 1500); do \
-        groupadd -g $i runner$i && \
-        useradd -M runner$i -g $i -u $i ; \
-    done
 RUN apt-get update && \
    apt-get install -y libxml2 gnupg tar coreutils util-linux libc6-dev \
    binutils build-essential locales libpcre3-dev libevent-dev libgmp3-dev \
    libncurses6 libncurses5 libedit-dev libseccomp-dev rename procps python3 \
    libreadline-dev libblas-dev liblapack-dev libpcre3-dev libarpack2-dev \
    libfftw3-dev libglpk-dev libqhull-dev libqrupdate-dev libsuitesparse-dev \
-    libsundials-dev libpcre2-dev && \
+    libsundials-dev libpcre2-dev libcap-dev && \
    rm -rf /var/lib/apt/lists/*
+RUN useradd -M piston
+COPY --from=isolate /usr/local/bin/isolate /usr/local/bin
+COPY --from=isolate /usr/local/etc/isolate /usr/local/etc/isolate

 RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen

@ -23,7 +32,5 @@ COPY ["package.json", "package-lock.json", "./"]
 RUN npm install
 COPY ./src ./src

-RUN make -C ./src/nosocket/ all && make -C ./src/nosocket/ install
-
-CMD [ "node", "src"]
+CMD ["/piston_api/src/docker-entrypoint.sh"]
 EXPOSE 2000/tcp