| Commit message (Collapse) | Author | Lines |
|---|
|
|
|
According to https://github.com/google/nsjail/pull/119, the flag should be passed for NsJail to try to use cgroupv2. This commit will use the /sys/fs/cgroup structure to guess the installed version, and depending on the version add that flag.
|
|
|
|
|
|
Signed-off-by: Hassan Abouelela <[email protected]>
|
|
Signed-off-by: Hassan Abouelela <[email protected]>
|
|
Signed-off-by: Hassan Abouelela <[email protected]>
|
|
This test ensures that spawned child processes inherit the same resource group as the parent by spawning 2 child processes which each allocate a 40MB object, it then verifies that one of the child processes was killed with SIGKILL for violating the resource quota.
|
|
|
|
We define a few environment variables to stop third party libraries trying to default to spawning more processes, with the PID limit modification we can increase these values.
|
|
Processes spawned in snekbox now have up to 5 PIDs available, each sharing the same memory limits and environment as the parent python process. As far as I could see in testing this does appear safe and processes behave as expected even when detatching from the parent or exceeding memory limits.
|
|
|
|
Snekbox is lacking an IANA timezone database, this first-party `tzdata` package will provide them. It can be tested by running the following script:
```py
import zoneinfo
if len(zoneinfo.available_timezones()) == 0:
print("The environment doesn't have a valid IANA database.")
```
|
|
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.4 to 1.26.5.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.4...1.26.5)
---
updated-dependencies:
- dependency-name: urllib3
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <[email protected]>
|
|
|
|
Co-authored-by: Mark <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
the potential case where this is bypassable
Since snekbox does not run with a tty, stdout is technically raw bytes, and thus incomplete surrogate pairs can be printed without the client application erroring, and instead fail within _consume_stdout when we attempt to decode it to a str.
This commit sets the PYTHONIOENCODING environment variable to inform python to open the pipe in utf-8 mode.
However, clever use of execl and os.unsetenv() can unset this environment variable, so we add a safety check to _consume_stdout to fail out of parsing output if it contains invalid unicode. This should only happen in deliberate cases, or significant bugs in python or a c library where output is printed to stdout ignoring the python stdout encoding.
|
|
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.3 to 1.26.4.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.3...1.26.4)
Signed-off-by: dependabot[bot] <[email protected]>
|
|
|
|
|
|
It needs setuptools which requires --ignore-installed to be used.
That causes all dependencies to be re-installed and therefore always
invalidates the cache. Not worth it.
|
|
|
|
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.2 to 1.26.3.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.2...1.26.3)
Signed-off-by: dependabot[bot] <[email protected]>
|
|
Test was relying on 137 which is SIGKILL, when instead it would receive 143, or SIGTERM.
|
|
This should be addressed by sending SIGTERM to nsjail instead of SIGKILL, since nsjail then gets an opportunity to run clean-up logic which includes removing cgroups.
|
|
|
|
Relying on git to handle line endings means contributors have more
flexibility with which line endings they want to use on check-out.
The settings in .gitattributes only impose which line endings will
be used upon check-in (LF), which should not impact local development;
git will still respect the core.eol and core.autocrlf settings.
|
|
|
|
CI was building the image twice: once with dev dependencies and again
without. Separating the pipenv command into separate layers allows the
second build in CI to take advantage of the cache for the base
dependencies that it will share across both builds.
Install numpy along with the dev dependencies within the container.
Previously it was installed in CI only, but this meant extra work for
those running tests locally.
Install numpy to the correct site.
|
|
|
|
|
|
|
|
|
|
The logs clutter up the test output way too much.
|
|
Generating the report in the same step resulted in the report exit code
overriding the exit code of the test runner.
|
|
Avoid redundant specification of Docker settings.
The compose file is set up to build all stages. This makes sense for
local development; both an interactive shell and running the webserver
are useful. Therefore, the image built is tagged "snekbox:dev".
However, CI does not need to run a webserver. It is therefore sufficient
for it to only build to the venv stage, and it does exactly that. The
image in CI is tagged as "snekbox-venv:<git sha>".
To facilitate the discrepancy in image tags, the suffix for the image
tag can be set with the new IMAGE_SUFFIX environment variable. Docker
Compose will use this to determine the image from which to create a
container.
A TTY needs to be allocated to prevent the container from exiting
immediately after starting. This is probably because the entrypoint
is Python (inherited from the base image), and the REPL relies on a TTY.
|
|
|
|
|
|
|
|
|
|
The new name better conveys what the script does.
|
Matteo Bertucci
aru
Joe Banks
Hassan Abouelela
Thomas Grainger
dependabot[bot]
ToxicKidz
Mark
Bast
Joe Banks
Joe Banks