| Commit message (Collapse) | Author | Lines |
|---|
|
The self-hosted runner has cgroupv2 enabled. It's only needed to run
the tests on a cgroupv2 system. Only lint, push the image, and deploy
it on one runner to avoid redundancy.
|
|
Fix NsJail failing to set the swap limit because it tries to write to
a file that doesn't exist.
Log a warning if swap is on, the swap controller is disabled, and the
NsJail config is attempting to limit swap memory.
|
|
Memory limit of the parent doesn't need to be modified because NsJail
is now able to set the swap limit itself.
|
|
|
|
The NsJail config can be overridden by command-line arguments. However,
there is no way to negate `--use_cgroupv2`. Hence, manual correction
of the config by the user is required.
|
|
|
|
|
|
`test_numpy_import` fails when running with `pipenv run tests`, since
numpy was not installed. Modify the pipenv script to install numpy
before starting the tests.
|
|
Dynamically calculate the position of the arguments rather than
hard-coding them.
|
|
|
|
The updated versions adds support for telling NsJail to set the max swap
memory in the cgroup.
Resolve #125
|
|
They're encoded with the system's locale, so that's what should be used
to read them.
|
|
Ensure the cgroupv2 mount exists, subtree_control is not empty, and
swap is disabled.
Fix #126
Fix #102
|
|
|
|
|
|
|
|
Remove the rename step from the protobuf generation script to get around
a bug causing failures in the test suite.
Signed-off-by: Hassan Abouelela <[email protected]>
|
|
Bumps protobuf from ~=3.14 to ==3.19. 3.19 was already a valid upgrade
from ~=3.14, but it introduced a breaking bug. The dependency has been
locked for now to avoid any more unintended bugs.
Signed-off-by: Hassan Abouelela <[email protected]>
|
|
|
|
|
|
According to https://github.com/google/nsjail/pull/119, the flag should be passed for NsJail to try to use cgroupv2. This commit will use the /sys/fs/cgroup structure to guess the installed version, and depending on the version add that flag.
|
|
|
|
|
|
Signed-off-by: Hassan Abouelela <[email protected]>
|
|
Signed-off-by: Hassan Abouelela <[email protected]>
|
|
Signed-off-by: Hassan Abouelela <[email protected]>
|
|
This test ensures that spawned child processes inherit the same resource group as the parent by spawning 2 child processes which each allocate a 40MB object, it then verifies that one of the child processes was killed with SIGKILL for violating the resource quota.
|
|
|
|
We define a few environment variables to stop third party libraries trying to default to spawning more processes, with the PID limit modification we can increase these values.
|
|
Processes spawned in snekbox now have up to 5 PIDs available, each sharing the same memory limits and environment as the parent python process. As far as I could see in testing this does appear safe and processes behave as expected even when detatching from the parent or exceeding memory limits.
|
|
|
|
Snekbox is lacking an IANA timezone database, this first-party `tzdata` package will provide them. It can be tested by running the following script:
```py
import zoneinfo
if len(zoneinfo.available_timezones()) == 0:
print("The environment doesn't have a valid IANA database.")
```
|
|
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.4 to 1.26.5.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.4...1.26.5)
---
updated-dependencies:
- dependency-name: urllib3
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <[email protected]>
|
|
|
|
Co-authored-by: Mark <[email protected]>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
the potential case where this is bypassable
Since snekbox does not run with a tty, stdout is technically raw bytes, and thus incomplete surrogate pairs can be printed without the client application erroring, and instead fail within _consume_stdout when we attempt to decode it to a str.
This commit sets the PYTHONIOENCODING environment variable to inform python to open the pipe in utf-8 mode.
However, clever use of execl and os.unsetenv() can unset this environment variable, so we add a safety check to _consume_stdout to fail out of parsing output if it contains invalid unicode. This should only happen in deliberate cases, or significant bugs in python or a c library where output is printed to stdout ignoring the python stdout encoding.
|
|
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.3 to 1.26.4.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.3...1.26.4)
Signed-off-by: dependabot[bot] <[email protected]>
|
|
|
|
|
|
It needs setuptools which requires --ignore-installed to be used.
That causes all dependencies to be re-installed and therefore always
invalidates the cache. Not worth it.
|
|
|
MarkKoz
Nightfurex
Hassan Abouelela
Matteo Bertucci
aru
Joe Banks
Thomas Grainger
dependabot[bot]
ToxicKidz
Bast
Joe Banks