From f2fc713a5c433ccfb1a0463aa9183627afd81781 Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Mon, 12 May 2025 15:37:33 +0200 Subject: [PATCH 1/3] Attach container to custom network with disabled ICC --- starter/runner.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/starter/runner.py b/starter/runner.py index 3f8c027..a1fe7d1 100644 --- a/starter/runner.py +++ b/starter/runner.py @@ -41,6 +41,7 @@ GID = os.environ.get("PYTHON_RUNNER_GID", "") USER = os.environ.get("PYTHON_RUNNER_USER", "") GROUP = os.environ.get("PYTHON_RUNNER_GROUP", "") +NETWORK = os.environ.get("PYTHON_RUNNER_NETWORK", "runner-net") OTHER_OPTIONS = os.environ.get("PYTHON_RUNNER_OTHER_OPTIONS", "[]") try: OTHER_OPTIONS = ast.literal_eval(OTHER_OPTIONS) @@ -268,6 +269,8 @@ def run_python(data): env_file, "-v", "{}:/scripts".format(tmp_dir), + "--network", + NETWORK, ] logging.debug("command: %s", command) From c372458ee43be7f88b02e5b41e49adc772233b0b Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Mon, 12 May 2025 16:05:00 +0200 Subject: [PATCH 2/3] Allow mounting root filesystem as read-only --- starter/runner.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/starter/runner.py b/starter/runner.py index a1fe7d1..95e8d5f 100644 --- a/starter/runner.py +++ b/starter/runner.py @@ -42,6 +42,9 @@ USER = os.environ.get("PYTHON_RUNNER_USER", "") GROUP = os.environ.get("PYTHON_RUNNER_GROUP", "") NETWORK = os.environ.get("PYTHON_RUNNER_NETWORK", "runner-net") +READ_ONLY_FILESYSTEM = os.environ.get('PYTHON_RUNNER_READ_ONLY_FILESYSTEM', 'false').lower() == 'true' +# 100MB by default +TMPFS_MOUNT_SIZE_IN_BYTES = os.environ.get('PYTHON_RUNNER_TMPFS_MOUNT_SIZE_IN_BYTES', '104857600') OTHER_OPTIONS = os.environ.get("PYTHON_RUNNER_OTHER_OPTIONS", "[]") try: OTHER_OPTIONS = ast.literal_eval(OTHER_OPTIONS) @@ -272,7 +275,6 @@ def run_python(data): "--network", NETWORK, ] - logging.debug("command: %s", command) # timezone, if not set TIME_ZONE in settings then set time zone use timezone_command if timezone_command: @@ -296,6 +298,10 @@ def run_python(data): user_operation += ":" + str(GID) if user_operation: command.extend(["-u", user_operation]) + if READ_ONLY_FILESYSTEM: + command.append("--read-only") + # Add tmpfs mount for /tmp (100MB) + command.extend(["--mount", f"type=tmpfs,dst=/tmp,tmpfs-size={TMPFS_MOUNT_SIZE_IN_BYTES}"]) # other options, these options are experimental, may cause failure to start script if OTHER_OPTIONS and isinstance(OTHER_OPTIONS, list): for option in OTHER_OPTIONS: @@ -310,6 +316,7 @@ def run_python(data): logging.debug("try to execute this python runner image: %s", PYTHON_RUNNER_IMAGE) command.append(PYTHON_RUNNER_IMAGE) command.append("run") # override command + logging.debug("command: %s", command) start_at = time.time() From 059957ef282e34d128ea4ddeddb010d7ae2e6b49 Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Mon, 12 May 2025 16:10:26 +0200 Subject: [PATCH 3/3] Fix code style --- starter/runner.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/starter/runner.py b/starter/runner.py index 95e8d5f..8d66613 100644 --- a/starter/runner.py +++ b/starter/runner.py @@ -42,9 +42,13 @@ USER = os.environ.get("PYTHON_RUNNER_USER", "") GROUP = os.environ.get("PYTHON_RUNNER_GROUP", "") NETWORK = os.environ.get("PYTHON_RUNNER_NETWORK", "runner-net") -READ_ONLY_FILESYSTEM = os.environ.get('PYTHON_RUNNER_READ_ONLY_FILESYSTEM', 'false').lower() == 'true' +READ_ONLY_FILESYSTEM = ( + os.environ.get("PYTHON_RUNNER_READ_ONLY_FILESYSTEM", "false").lower() == "true" +) # 100MB by default -TMPFS_MOUNT_SIZE_IN_BYTES = os.environ.get('PYTHON_RUNNER_TMPFS_MOUNT_SIZE_IN_BYTES', '104857600') +TMPFS_MOUNT_SIZE_IN_BYTES = os.environ.get( + "PYTHON_RUNNER_TMPFS_MOUNT_SIZE_IN_BYTES", "104857600" +) OTHER_OPTIONS = os.environ.get("PYTHON_RUNNER_OTHER_OPTIONS", "[]") try: OTHER_OPTIONS = ast.literal_eval(OTHER_OPTIONS) @@ -301,7 +305,9 @@ def run_python(data): if READ_ONLY_FILESYSTEM: command.append("--read-only") # Add tmpfs mount for /tmp (100MB) - command.extend(["--mount", f"type=tmpfs,dst=/tmp,tmpfs-size={TMPFS_MOUNT_SIZE_IN_BYTES}"]) + command.extend( + ["--mount", f"type=tmpfs,dst=/tmp,tmpfs-size={TMPFS_MOUNT_SIZE_IN_BYTES}"] + ) # other options, these options are experimental, may cause failure to start script if OTHER_OPTIONS and isinstance(OTHER_OPTIONS, list): for option in OTHER_OPTIONS: