| Commit message (Collapse) | Author | Age | Lines |
|---|
| |\
| |
| |
| | |
Use PYTHONIOENCODING to enable utf-8 stdout for the nsjail pipe,
and handle the potential case where this is bypassable.
|
| | | |
|
| | | |
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
| |
the potential case where this is bypassable
Since snekbox does not run with a tty, stdout is technically raw bytes, and thus incomplete surrogate pairs can be printed without the client application erroring, and instead fail within _consume_stdout when we attempt to decode it to a str.
This commit sets the PYTHONIOENCODING environment variable to inform python to open the pipe in utf-8 mode.
However, clever use of execl and os.unsetenv() can unset this environment variable, so we add a safety check to _consume_stdout to fail out of parsing output if it contains invalid unicode. This should only happen in deliberate cases, or significant bugs in python or a c library where output is printed to stdout ignoring the python stdout encoding.
|
| |
|
|
|
|
|
|
| |
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.3 to 1.26.4.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.3...1.26.4)
Signed-off-by: dependabot[bot] <[email protected]>
|
| | |
|
| |\ |
|
| |/ |
|
| |
|
|
|
| |
It needs setuptools which requires --ignore-installed to be used.
That causes all dependencies to be re-installed and therefore always
invalidates the cache. Not worth it.
|
| | |
|
| |\
| |
| | |
Bump urllib3 from 1.26.2 to 1.26.3
|
| |/
|
|
|
|
|
|
| |
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.2 to 1.26.3.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.2...1.26.3)
Signed-off-by: dependabot[bot] <[email protected]>
|
| |\ |
|
| | |
| |
| |
| | |
Test was relying on 137 which is SIGKILL, when instead it would receive 143, or SIGTERM.
|
| | |
| |
| |
| | |
This should be addressed by sending SIGTERM to nsjail instead of SIGKILL, since nsjail then gets an opportunity to run clean-up logic which includes removing cgroups.
|
| |/ |
|
| |
|
|
|
|
|
|
| |
Relying on git to handle line endings means contributors have more
flexibility with which line endings they want to use on check-out.
The settings in .gitattributes only impose which line endings will
be used upon check-in (LF), which should not impact local development;
git will still respect the core.eol and core.autocrlf settings.
|
| | |
|
| |\
| |
| |
| | |
A test is still broken, but it's due to a bug in the code being
tested rather than in the test itself. It'll be fixed separately.
|
| | |\
| |/
|/|
| | |
The branch needs the fixes from #94 to make the tests pass.
|
| |\ \
| | |
| | | |
Remove all child cgroups before removing parents
|
| |/ / |
|
| |\ \
| | |
| | | |
Dynamically create parent cgroups
|
| | |\ \
| |/ /
|/| | |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
CI was building the image twice: once with dev dependencies and again
without. Separating the pipenv command into separate layers allows the
second build in CI to take advantage of the cache for the base
dependencies that it will share across both builds.
Install numpy along with the dev dependencies within the container.
Previously it was installed in CI only, but this meant extra work for
those running tests locally.
Install numpy to the correct site.
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
The logs clutter up the test output way too much.
|
| | |/
|/|
| |
| |
| | |
Generating the report in the same step resulted in the report exit code
overriding the exit code of the test runner.
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Avoid redundant specification of Docker settings.
The compose file is set up to build all stages. This makes sense for
local development; both an interactive shell and running the webserver
are useful. Therefore, the image built is tagged "snekbox:dev".
However, CI does not need to run a webserver. It is therefore sufficient
for it to only build to the venv stage, and it does exactly that. The
image in CI is tagged as "snekbox-venv:<git sha>".
To facilitate the discrepancy in image tags, the suffix for the image
tag can be set with the new IMAGE_SUFFIX environment variable. Docker
Compose will use this to determine the image from which to create a
container.
A TTY needs to be allocated to prevent the container from exiting
immediately after starting. This is probably because the entrypoint
is Python (inherited from the base image), and the REPL relies on a TTY.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
The new name better conveys what the script does.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Managing development containers through Docker Compose is convenient.
However, it isn't quite flexible enough to facilitate both development
and normal use. It's not really worth accommodating the latter since
the container gets pushed to a registry and that's the intended way to
run the service. Anyone that is checking out the repository and
therefore has access to the compose file is likely a developer, not a
user.
|
| | | |
|
| |/
|
|
|
|
| |
The information is only relevant to developers. The README is what all
users will read; they shouldn't be subject to information that isn't
necessarily relevant to them.
|
| |\ |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The Python script uses the same underlying code Falcon uses to invoke
nsjail. It allows for the omission of redundant shell code that set up
cgroups and nsjail args.
This is also a step towards removing dependence on shell scripts and
thus resolving #73.
|
| | | |
|
| | | |
|
| | | |
|
Mark
Bast
dependabot[bot]
Joe Banks
Matteo Bertucci
Joe Banks