Switch to isolate v2 with Ubuntu 22.04

Co-authored-by: Filippo Casarin <casarin.filippo17@gmail.com>
cms-dev · Oct 5, 2024 · 738971e · 738971e
1 parent f0d969b
commit 738971e
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 9 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,7 +6,7 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     steps:
       - uses: actions/checkout@v2

diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,7 @@
 # syntax=docker/dockerfile:1
 FROM ubuntu:20.04
 
-RUN apt-get update
-RUN apt-get install -y \
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
     build-essential \
     cgroup-lite \
     cppreference-doc-en-html \

diff --git a/cms/grading/Sandbox.py b/cms/grading/Sandbox.py
@@ -1076,7 +1076,7 @@ def build_box_options(self):
         if self.box_id is not None:
             res += ["--box-id=%d" % self.box_id]
         if self.cgroup:
-            res += ["--cg", "--cg-timing"]
+            res += ["--cg"]
         if self.chdir is not None:
             res += ["--chdir=%s" % self.chdir]
         for src, dest, options in self.dirs:

diff --git a/config/isolate.conf.sample b/config/isolate.conf.sample
@@ -0,0 +1,28 @@
+# This is a configuration file for Isolate
+
+# All sandboxes are created under this directory.
+# To avoid symlink attacks, this directory and all its ancestors
+# must be writeable only to root.
+box_root = /var/local/lib/isolate
+
+# Directory where lock files are created.
+lock_root = /run/isolate/locks
+
+# Control group under which we place our subgroups
+# Either an explicit path to a subdirectory in cgroupfs, or "auto:file" to read
+# the path from "file", where it is put by isolate-cg-helper.
+cg_root = /sys/fs/cgroup
+
+# Block of UIDs and GIDs reserved for sandboxes
+first_uid = 60000
+first_gid = 60000
+num_boxes = 1000
+
+# Only root can create new sandboxes (default: 0=everybody can)
+#restricted_init = 1
+
+# Per-box settings of the set of allowed CPUs and NUMA nodes
+# (see linux/Documentation/cgroups/cpusets.txt for precise syntax)
+
+#box0.cpus = 4-7
+#box0.mems = 1
diff --git a/docker-compose.test.yml b/docker-compose.test.yml
@@ -1,5 +1,3 @@
-version: "3.3"
-
 services:
   testdb:
     image: postgres
@@ -19,6 +17,7 @@ services:
     volumes:
       - "./codecov:/home/cmsuser/cms/codecov"
     privileged: true
+    cgroup: host
     command: >
       wait-for-it testdb:5432 -- sh -c "
       dropdb --host=testdb --username=postgres cmsdbfortesting ;

diff --git a/isolate b/isolate
diff --git a/prerequisites.py b/prerequisites.py
@@ -226,8 +226,8 @@ def install_isolate():
 
     print("===== Copying isolate config to /usr/local/etc/")
     makedir(os.path.join(USR_ROOT, "etc"), root, 0o755)
-    copyfile(os.path.join(".", "isolate", "default.cf"),
-             os.path.join(USR_ROOT, "etc", "isolate"),
+    copyfile(os.path.join(".", "config", "isolate.conf.sample"),
+             os.path.join(USR_ROOT, "etc", "isolate", "isolate.cf"),
              root, 0o640, group=cmsuser_grp)