| Commit message (Collapse) | Author | Age | Lines |
| |
|
|
|
|
|
|
|
|
|
|
| |
Managing development containers through Docker Compose is convenient.
However, it isn't quite flexible enough to facilitate both development
and normal use. It's not really worth accommodating the latter since
the container gets pushed to a registry and that's the intended way to
run the service. Anyone that is checking out the repository and
therefore has access to the compose file is likely a developer, not a
user.
|
|
|
|
|
|
|
|
|
| |
The Python script uses the same underlying code Falcon uses to invoke
nsjail. It allows for the omission of redundant shell code that set up
cgroups and nsjail args.
This is also a step towards removing dependence on shell scripts and
thus resolving #73.
|
|
|
|
| |
Include a helper shell script for compilation.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hooks added:
* check-merge-conflict - checks for files with merge conflict strings
* check-toml - attempts to load all toml files to verify syntax
* check-yaml - attempts to load all yaml files to verify syntax
* end-of-file-fixer - ensures files end in a newline and only a newline
* mixed-line-ending - replaces mixed line endings with LF
* trailing-whitespace - trims trailing whitespace
* python-check-blanket-noqa - enforces that noqa annotations always
occur with specific codes
See: python-discord/organisation#138
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Isolate snekbox's dependencies from the packages available within the
Python interpreter. Disable Python's default behaviour of site-dependent
manipulations of sys.path. The custom directory looks like a user site
to allow `pip install --user` to work with it. However, snekbox will see
it as simply an additional search path for modules rather than as a user
site.
Disable isolated mode (-I) because it implies (-E), which ignores
PYTHON* environment variables. This conflicts with the reliance on
`PYTHONPATH`.
Specify `PYTHONUSERBASE` in the Dockerfile to make installing packages
to expose more intuitive for users. Otherwise, they'd have to remember
to set this variable every time they need to install something.
|
|
|
|
|
| |
I've fixed paths still pointing to the old Dockerfile location. I've
also reverted an error that somehow got committed to the Dockerfile.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I've migrated the build pipeline to GitHub Actions and changed the
container registry to GitHub Container Registry. In the process, I've
made some changes to our docker setup and caching:
- We are now using a single multi-stage Dockerfile
Instead of three separate dockerfiles, we are now using a
single multi-stage Dockerfile that can be used to build the three images
we want using build targets.
In part, this is because we're now using the docker buildx build action
currently recommended by docker. This new engine runs in a sandboxed
mode, meaning that while it can export built images to `docker` running
in the host, it cannot import local images from it to base builds on.
- Docker builds are now cached within GitHub Actions
The builds are now cached using the GitHub Actions cache of the build
cache directory. The cache keys try to match a cache generated by a
build that matches the current build as closely as possible. In case of
a cache miss, we fall back to caching from the latest image pushed to
the container repository.
- The `base` and `venv` images now have an inline cache manifest
In order to fall back intelligently to caching from the repository, the
final build and push action for the `base` and `venv` images includes an
"inline" cache manifest. This means that the build process can inspect,
without pulling, if it makes sense to pull layers to speed up the build.
The other options, pushing a cache manifest separately (not inline), is
currently not supported by GHCR.
The custom caching script has been removed.
- Linting errors are now added as GitHub Actions annotations
Just like for some of our other pipelines, linting now generates
annotations if linting errors are observed.
- Coverage is pushed to coveralls.io
A coverage summary is now pushed to coveralls.io. Each CI run will get a
unique job that's linked in the CI output. If the run is attached to a
PR, coveralls.io will automatically add a check link with the coverage
result to the PR as well.
- The README.md, Pipfile, docker-compose, and scripts have been updated
As we now need to pull from and link to the GHCR, I've updated the other
files to reflect these changes, including Pipfile run commands. I've
also changed the CI badge and added a coveralls.io badge.
|
|
|
|
|
| |
There will be more config files to come so it's cleaner to have them
together than littering the root directory with more files.
|
| |
|
|
|
|
|
|
|
|
| |
Error handling is performed inside can_pull so the callers of the
function don't always check its exit code. Because set -e present, if
can_pull returns 1, bash would consider that function a failed call and
thus exit the entire script with code 1. That, in turn, would cause the
CI job to fail.
|
| |
|
|
|
|
| |
The array shouldn't be expanded when testing with -v.
|
|
|
|
|
|
| |
The script may need to use the master commit several times. The easiest
way to implement the cache was to just cache the response rather than
the commit hash.
|
| |
|
| |
|
|
|
|
|
|
| |
It was initially used to enable access to variables across jobs, but
the jobs will eventually be consolidated into one so output variables
will no longer be needed.
|
| |
|
|
|
|
| |
* Use inherit_errexit in check_dockerfiles.sh
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A virtual environment is redundant in the context of deployment. It
just increases the size and build time of the image.
* Replace venv with system interpreter
* Mount Python binaries in /usr/local/bin in NsJail
* Fix #61: Python symlink in venv not resolving
* Re-lock Pipfile because it wasn't up to date according to
pipenv install --deploy
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
devfs and sysfs were problematic since they were being mounted as
tmpfs, which is r/w. For example, the Python process could write to
cgroups. Now, only what is needed to run Python gets mounted. This
boils down to the venv itself and some shared libraries Python needs.
* Use a config file for NsJail instead of command-line options
* Map 65534 (nobody) user & group inside the user namespace to 65534
outside the namespace rather than mapping to current uid/guid (which
was 0 AKA root)
|
| |
|
| |
|
|
|
|
| |
Forgot to do this after switching to Debian.
|
|\
| |
| | |
CI Improvements
|
| |
| |
| |
| |
| | |
* Replace some shorthand Docker command options with their full names
for clarity
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
* Move script's execution to the test job
* Use output variables
* Use jq instead of regex for parsing JSON responses from API
* Wrap to 80 columns
* Make more robust by checking for command success
|
| | |
|
|/
|
|
| |
Reflects the changes in 7a7eca52019bf21d21cdffcf03cd9c5eacd8363b
|
|
|
|
|
|
|
|
|
| |
If memory swapping was enabled locally, the memory test would fail.
Explicitly disabling swapping also removes reliance on the assumption
that it'll be disabled in production.
* Add a constant for the maximum memory
* Simplify the timeout test; it'd otherwise first run out of memory now
|
|
|
|
|
|
| |
* Mount volume to the same path as the source directory on the host
* Keep the container up in the background so it doesn't have to be
restarted or the ownership fix
|
|
|
|
|
|
| |
When coverage runs in a container, it is ran under root so the resulting
coverage file is owned by root. chown is used to change ownership to
be the same as the folder it is in.
|
|
|
|
| |
* Put scripts in a new scripts folder
|
|
|
|
|
| |
This PR is to add CI settings to master and to test the PR CI pipeline.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|