deploy: api privilege

api/src/config.js

@@ -95,6 +95,18 @@ const options = [
         desc: 'Maximum gid to use for runner',
         default: 1500,
         validators: []
+    },
+    {
+        key: 'enable_unshare',
+        desc: 'Enable using unshare to disable networking',
+        default: true,
+        validators: []
+    },
+    {
+        key: 'output_max_size',
+        desc: 'Max size of each stdio buffer',
+        default: 1024,
+        validators: []
     }
 ];
 

api/src/executor/job.js

@@ -73,9 +73,10 @@ class Job {
         logger.info(`Executing job uuid=${this.uuid} uid=${this.uid} gid=${this.gid} runtime=${this.runtime.toString()}`);
         logger.debug('Compiling');
         const compile = this.runtime.compiled && await new Promise((resolve, reject) => {
+            const proc_call = ['unshare', '-n', '-r', 'bash', path.join(this.runtime.pkgdir, 'compile'),this.main, ...this.files].slice(!config.enable_unshare * 3)
             var stdout = '';
             var stderr = '';
-            const proc = cp.spawn('unshare', ['-n', 'bash', path.join(this.runtime.pkgdir, 'compile'),this.main, ...this.files] ,{
+            const proc = cp.spawn(proc_call[0], proc_call.splice(1) ,{
                 env: this.runtime.env_vars,
                 stdio: ['pipe', 'pipe', 'pipe'],
                 cwd: this.dir,
@@ -83,18 +84,24 @@ class Job {
                 gid: this.gid
             });
 
-            const kill_timeout = setTimeout(proc.kill, this.timeouts.compile, 'SIGKILL');
+            const kill_timeout = setTimeout(_ => proc.kill('SIGKILL'), this.timeouts.compile);
 
-            proc.stderr.on('data', d=>stderr += d);
+            proc.stderr.on('data', d=>{if(stderr.length>config.output_max_size) proc.kill('SIGKILL'); else stderr += d;});
-            proc.stdout.on('data', d=>stdout += d);
+            proc.stdout.on('data', d=>{if(stdout.length>config.output_max_size) proc.kill('SIGKILL'); else stdout += d;});
 
             proc.on('exit', (code, signal)=>{
                 clearTimeout(kill_timeout);
+                proc.stderr.destroy()
+                proc.stdout.destroy()
+                
                 resolve({stdout, stderr, code, signal});
             });
 
             proc.on('error', (err) => {
                 clearTimeout(kill_timeout);
+                proc.stderr.destroy()
+                proc.stdout.destroy()
+
                 reject({error: err, stdout, stderr});
             });
         });
@@ -102,9 +109,10 @@ class Job {
         logger.debug('Running');
 
         const run = await new Promise((resolve, reject) => {
+            const proc_call = ['unshare', '-n', '-r', 'bash', path.join(this.runtime.pkgdir, 'run'), this.main, ...this.args].slice(!config.enable_unshare * 3);
             var stdout = '';            
             var stderr = '';
-            const proc = cp.spawn('unshare', ['-n', 'bash', path.join(this.runtime.pkgdir, 'run'),this.main, ...this.args] ,{
+            const proc = cp.spawn(proc_call[0], proc_call.slice(1) ,{
                 env: this.runtime.env_vars,
                 stdio: ['pipe', 'pipe', 'pipe'],
                 cwd: this.dir,
@@ -112,18 +120,25 @@ class Job {
                 gid: this.gid
             });
             
-            const kill_timeout = setTimeout(proc.kill, this.timeouts.run, 'SIGKILL');
+            const kill_timeout = setTimeout(_ => proc.kill('SIGKILL'), this.timeouts.run);
 
-            proc.stderr.on('data', d=>stderr += d);
+            proc.stderr.on('data', d=>{if(stderr.length>config.output_max_size) proc.kill('SIGKILL'); else stderr += d;});
-            proc.stdout.on('data', d=>stdout += d);
+            proc.stdout.on('data', d=>{if(stdout.length>config.output_max_size) proc.kill('SIGKILL'); else stdout += d;});
+
+            proc.stdin.write(this.stdin)
+            proc.stdin.end()
 
             proc.on('exit', (code, signal)=>{
                 clearTimeout(kill_timeout);
+                proc.stderr.destroy()
+                proc.stdout.destroy()
                 resolve({stdout, stderr, code, signal});
             });
 
             proc.on('error', (err) => {
                 clearTimeout(kill_timeout);
+                proc.stderr.destroy()
+                proc.stdout.destroy()
                 reject({error: err, stdout, stderr});
             });
         });

api/src/ppman/repo.js

@@ -44,9 +44,8 @@ class Repository {
     async import_keys(){
         await this.load();
         logger.info(`Importing keys for repo ${this.slug}`);
-
         await new Promise((resolve,reject)=>{
-            const gpgspawn = cp.spawn('gpg', ['--receive-keys', this.keys], {
+            const gpgspawn = cp.spawn('gpg', ['--receive-keys', ...this.keys], {
                 stdio: ['ignore', 'ignore', 'ignore']
             });
 

docker-compose.yaml

@@ -3,6 +3,7 @@ version: '3.8'
 services:
   piston_api:
     build: api
+    privileged: true
     restart: always
     ports:
       - 6969:6969
@@ -17,7 +18,7 @@ services:
     build: repo
     command: >
       bash -c '/repo/make.sh &&
-      curl http://piston_api:6969/repos -XPOST -d "slug=local&url=file:///repo/index.yaml";
+      true || curl http://piston_api:6969/repos -XPOST -d "slug=local&url=file:///repo/index.yaml";
       echo -e "\nAn error here is fine, it just means its already added it. Perhaps you restarted this container"
       '
     volumes: