diff options
| -rw-r--r-- | .flake8 | 2 | ||||
| -rw-r--r-- | .github/CONTRIBUTING.md | 4 | ||||
| -rw-r--r-- | Dockerfile | 8 | ||||
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | config/snekbox.cfg | 4 | ||||
| -rwxr-xr-x | scripts/build_python.sh | 8 | ||||
| -rw-r--r-- | scripts/install_eval_deps.sh | 2 | ||||
| -rw-r--r-- | tests/test_integration.py | 10 | ||||
| -rw-r--r-- | tests/test_nsjail.py | 4 |
9 files changed, 22 insertions, 22 deletions
@@ -18,4 +18,4 @@ ignore = # Type Annotations ANN002,ANN003,ANN101,ANN102,ANN204,ANN206 -per-file-ignores = tests/*:D1,ANN +per-file-ignores = tests/*:D1,ANN,E202,E231,E241,E272,E702 diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index 1124b8e..67ad71b 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -64,11 +64,11 @@ Other things to look out for are breaking changes to NsJail's config format, its ## Adding and Updating Python Interpreters -Python interpreters are built using pyenv via the `scripts/build_python.sh` helper script. This script accepts a pyenv version specifier (`pyenv install --list`) and builds the interpreter in a version-specific directory under `/lang/python`. In the image, each minor version of a Python interpreter should have its own build stage and the resulting `/lang/python` directory can be copied from that stage into the `base` stage. +Python interpreters are built using pyenv via the `scripts/build_python.sh` helper script. This script accepts a pyenv version specifier (`pyenv install --list`) and builds the interpreter in a version-specific directory under `/snekbin/python`. In the image, each minor version of a Python interpreter should have its own build stage and the resulting `/snekbin/python` directory can be copied from that stage into the `base` stage. When updating a patch version (e.g. 3.11.3 to 3.11.4), edit the existing build stage in the image for the minor version (3.11); do not add a new build stage. To have access to a new version, pyenv likely needs to be updated. To do so, change the tag in the `git clone` command in the image, but only for the build stage that needs access to the new version. Updating pyenv for all build stages will just cause unnecessary build cache invalidations. -To change the default interpreter used by NsJail, update the target of the `/lang/python/default` symlink created in the `base` stage. +To change the default interpreter used by NsJail, update the target of the `/snekbin/python/default` symlink created in the `base` stage. [readme]: ../README.md [Dockerfile]: ../Dockerfile @@ -54,11 +54,11 @@ RUN apt-get -y update \ && rm -rf /var/lib/apt/lists/* COPY --link --from=builder-nsjail /nsjail/nsjail /usr/sbin/ -COPY --link --from=builder-py-3_12 /lang/ /lang/ -COPY --link --from=builder-py-3_13 /lang/ /lang/ +COPY --link --from=builder-py-3_12 /snekbin/ /snekbin/ +COPY --link --from=builder-py-3_13 /snekbin/ /snekbin/ RUN chmod +x /usr/sbin/nsjail \ - && ln -s /lang/python/3.12/ /lang/python/default + && ln -s /snekbin/python/3.12/ /snekbin/python/default # ------------------------------------------------------------------------------ FROM base as venv @@ -79,7 +79,7 @@ RUN if [ -n "${DEV}" ]; \ then \ pip install -U -r requirements/coverage.pip \ && export PYTHONUSERBASE=/snekbox/user_base \ - && /lang/python/default/bin/python -m pip install --user numpy~=1.19; \ + && /snekbin/python/default/bin/python -m pip install --user numpy~=1.19; \ fi # At the end to avoid re-installing dependencies when only a config changes. @@ -105,7 +105,7 @@ To expose third-party Python packages during evaluation, install them to a custo ```sh docker exec snekbox /bin/sh -c \ - 'PYTHONUSERBASE=/snekbox/user_base /lang/python/default/bin/python -m pip install --user numpy' + 'PYTHONUSERBASE=/snekbox/user_base /snekbin/python/default/bin/python -m pip install --user numpy' ``` In the above command, `snekbox` is the name of the running container. The name may be different and can be checked with `docker ps`. diff --git a/config/snekbox.cfg b/config/snekbox.cfg index 33cd9e9..778f90e 100644 --- a/config/snekbox.cfg +++ b/config/snekbox.cfg @@ -81,8 +81,8 @@ mount { } mount { - src: "/lang" - dst: "/lang" + src: "/snekbin" + dst: "/snekbin" is_bind: true rw: false } diff --git a/scripts/build_python.sh b/scripts/build_python.sh index 1e6d423..77f50ab 100755 --- a/scripts/build_python.sh +++ b/scripts/build_python.sh @@ -4,14 +4,14 @@ shopt -s inherit_errexit py_version="${1}" -# Install Python interpreter under e.g. /lang/python/3.11/ (no patch version). +# Install Python interpreter under e.g. /snekbin/python/3.11/ (no patch version). "${PYENV_ROOT}/plugins/python-build/bin/python-build" \ "${py_version}" \ - "/lang/python/${py_version%[-.]*}" -"/lang/python/${py_version%[-.]*}/bin/python" -m pip install -U pip + "/snekbin/python/${py_version%[-.]*}" +"/snekbin/python/${py_version%[-.]*}/bin/python" -m pip install -U pip # Clean up some unnecessary files to reduce image size bloat. -find /lang/python/ -depth \ +find /snekbin/python/ -depth \ \( \ \( -type d -a \( \ -name test -o -name tests -o -name idle_test \ diff --git a/scripts/install_eval_deps.sh b/scripts/install_eval_deps.sh index 8fa5316..b57a654 100644 --- a/scripts/install_eval_deps.sh +++ b/scripts/install_eval_deps.sh @@ -1,5 +1,5 @@ set -euo pipefail export PYTHONUSERBASE=/snekbox/user_base -find /lang/python -mindepth 1 -maxdepth 1 -type d -print0 | xargs -0I{} bash -c \ +find /snekbin/python -mindepth 1 -maxdepth 1 -type d -print0 | xargs -0I{} bash -c \ '{}/bin/python -m pip install --user -U -r requirements/eval-deps.pip' \; diff --git a/tests/test_integration.py b/tests/test_integration.py index 9ae2da8..7935b6d 100644 --- a/tests/test_integration.py +++ b/tests/test_integration.py @@ -65,12 +65,12 @@ class IntegrationTests(unittest.TestCase): "test default binary is used when binary_path not specified", ), ( - get_python_version_body | {"binary_path": "/lang/python/3.12/bin/python"}, + get_python_version_body | {"binary_path": "/snekbin/python/3.12/bin/python"}, "3.12\n", "test default binary is used when explicitly set", ), ( - get_python_version_body | {"binary_path": "/lang/python/3.13/bin/python"}, + get_python_version_body | {"binary_path": "/snekbin/python/3.13/bin/python"}, "3.13\n", "test alternative binary is used when set", ), @@ -85,10 +85,10 @@ class IntegrationTests(unittest.TestCase): """Test that passing invalid binary paths result in no code execution.""" with run_gunicorn(): cases = [ - ("/bin/bash", "test files outside of /lang cannot be run"), + ("/bin/bash", "test files outside of /snekbin cannot be run"), ( - "/lang/../bin/bash", - "test path traversal still stops files outside /lang from running", + "/snekbin/../bin/bash", + "test path traversal still stops files outside /snekbin from running", ), ("/foo/bar", "test non-existant files are not run"), ] diff --git a/tests/test_nsjail.py b/tests/test_nsjail.py index 2d21ad3..a3f1312 100644 --- a/tests/test_nsjail.py +++ b/tests/test_nsjail.py @@ -26,7 +26,7 @@ class NsJailTests(unittest.TestCase): # Hard-coded because it's non-trivial to parse the mount options. self.shm_mount_size = 40 * Size.MiB - self.default_binary_path = "/lang/python/default/bin/python" + self.default_binary_path = "/snekbin/python/default/bin/python" def eval_code(self, code: str): return self.nsjail.python3(["-c", code]) @@ -84,7 +84,7 @@ class NsJailTests(unittest.TestCase): for _ in range({max_pids}): print(subprocess.Popen( [ - '/lang/python/default/bin/python', + '/snekbin/python/default/bin/python', '-c', 'import time; time.sleep(1)' ], |