Mount only what's needed in the chroot jail

devfs and sysfs were problematic since they were being mounted as tmpfs, which is r/w. For example, the Python process could write to cgroups. Now, only what is needed to run Python gets mounted. This boils down to the venv itself and some shared libraries Python needs. * Use a config file for NsJail instead of command-line options * Map 65534 (nobody) user & group inside the user namespace to 65534 outside the namespace rather than mapping to current uid/guid (which was 0 AKA root)
author: MarkKoz <[email protected]> 2019-12-28 15:17:34 -0800
committer: MarkKoz <[email protected]> 2019-12-28 20:53:29 -0800
commit: b2fb654371a07a77ba4a39f11395836c6b593527 (patch)
tree: 7b1c9deded3c936a0a4201bdfe6c2849b2482ed2 /docker/venv.Dockerfile
parent: Disable shared memory in Docker container (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/docker/venv.Dockerfile b/docker/venv.Dockerfile
index be15f08..b415430 100644
--- a/docker/venv.Dockerfile
+++ b/docker/venv.Dockerfile
@@ -7,7 +7,7 @@ ENV PIP_NO_CACHE_DIR=false \
     PIPENV_NOSPIN=1 \
     PIPENV_VENV_IN_PROJECT=1
 
-COPY Pipfile Pipfile.lock /snekbox/
+COPY Pipfile Pipfile.lock snekbox.cfg /snekbox/
 WORKDIR /snekbox
 
 RUN if [ -n "${DEV}" ]; then pipenv sync --dev; else pipenv sync; fi
author	MarkKoz <[email protected]>	2019-12-28 15:17:34 -0800
committer	MarkKoz <[email protected]>	2019-12-28 20:53:29 -0800
commit	b2fb654371a07a77ba4a39f11395836c6b593527 (patch)
tree	7b1c9deded3c936a0a4201bdfe6c2849b2482ed2 /docker/venv.Dockerfile
parent	Disable shared memory in Docker container (diff)