From 738971e180977099c81c40b6dddb36d680324419 Mon Sep 17 00:00:00 2001 From: William Di Luigi Date: Sun, 18 Dec 2022 16:18:15 +0100 Subject: [PATCH] Switch to isolate v2 with Ubuntu 22.04 Co-authored-by: Filippo Casarin --- .github/workflows/main.yml | 2 +- Dockerfile | 3 +-- cms/grading/Sandbox.py | 2 +- config/isolate.conf.sample | 28 ++++++++++++++++++++++++++++ docker-compose.test.yml | 3 +-- isolate | 2 +- prerequisites.py | 4 ++-- 7 files changed, 35 insertions(+), 9 deletions(-) create mode 100644 config/isolate.conf.sample diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b4ee06799b..1cc293e8c2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -6,7 +6,7 @@ on: jobs: test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v2 diff --git a/Dockerfile b/Dockerfile index 1b2624a7f1..ae61a90a76 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,7 @@ # syntax=docker/dockerfile:1 FROM ubuntu:20.04 -RUN apt-get update -RUN apt-get install -y \ +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \ build-essential \ cgroup-lite \ cppreference-doc-en-html \ diff --git a/cms/grading/Sandbox.py b/cms/grading/Sandbox.py index 741b68dad7..5ec85d3e7c 100644 --- a/cms/grading/Sandbox.py +++ b/cms/grading/Sandbox.py @@ -1076,7 +1076,7 @@ def build_box_options(self): if self.box_id is not None: res += ["--box-id=%d" % self.box_id] if self.cgroup: - res += ["--cg", "--cg-timing"] + res += ["--cg"] if self.chdir is not None: res += ["--chdir=%s" % self.chdir] for src, dest, options in self.dirs: diff --git a/config/isolate.conf.sample b/config/isolate.conf.sample new file mode 100644 index 0000000000..bfcfcc4355 --- /dev/null +++ b/config/isolate.conf.sample @@ -0,0 +1,28 @@ +# This is a configuration file for Isolate + +# All sandboxes are created under this directory. +# To avoid symlink attacks, this directory and all its ancestors +# must be writeable only to root. +box_root = /var/local/lib/isolate + +# Directory where lock files are created. +lock_root = /run/isolate/locks + +# Control group under which we place our subgroups +# Either an explicit path to a subdirectory in cgroupfs, or "auto:file" to read +# the path from "file", where it is put by isolate-cg-helper. +cg_root = /sys/fs/cgroup + +# Block of UIDs and GIDs reserved for sandboxes +first_uid = 60000 +first_gid = 60000 +num_boxes = 1000 + +# Only root can create new sandboxes (default: 0=everybody can) +#restricted_init = 1 + +# Per-box settings of the set of allowed CPUs and NUMA nodes +# (see linux/Documentation/cgroups/cpusets.txt for precise syntax) + +#box0.cpus = 4-7 +#box0.mems = 1 diff --git a/docker-compose.test.yml b/docker-compose.test.yml index 8a121b313f..64a35faf71 100644 --- a/docker-compose.test.yml +++ b/docker-compose.test.yml @@ -1,5 +1,3 @@ -version: "3.3" - services: testdb: image: postgres @@ -19,6 +17,7 @@ services: volumes: - "./codecov:/home/cmsuser/cms/codecov" privileged: true + cgroup: host command: > wait-for-it testdb:5432 -- sh -c " dropdb --host=testdb --username=postgres cmsdbfortesting ; diff --git a/isolate b/isolate index eda2c65acd..758ab000e3 160000 --- a/isolate +++ b/isolate @@ -1 +1 @@ -Subproject commit eda2c65acd9ad5d4fc8ba46884e66445a8fca1b8 +Subproject commit 758ab000e3a1bcf1e57ffddea2340ffa1a5af49b diff --git a/prerequisites.py b/prerequisites.py index 0968b50a22..159a3890fe 100755 --- a/prerequisites.py +++ b/prerequisites.py @@ -226,8 +226,8 @@ def install_isolate(): print("===== Copying isolate config to /usr/local/etc/") makedir(os.path.join(USR_ROOT, "etc"), root, 0o755) - copyfile(os.path.join(".", "isolate", "default.cf"), - os.path.join(USR_ROOT, "etc", "isolate"), + copyfile(os.path.join(".", "config", "isolate.conf.sample"), + os.path.join(USR_ROOT, "etc", "isolate", "isolate.cf"), root, 0o640, group=cmsuser_grp)