From 7a212edd8357d24e2dd88bc455418aaa895bc3c8 Mon Sep 17 00:00:00 2001
From: MarkKoz <KozlovMark@gmail.com>
Date: Mon, 23 Mar 2020 10:03:43 -0700
Subject: Move snekbox.cfg to a config directory

There will be more config files to come so it's cleaner to have them
together than littering the root directory with more files.
---
 .dockerignore          |   2 +-
 README.md              |   2 +-
 config/snekbox.cfg     | 118 +++++++++++++++++++++++++++++++++++++++++++++++++
 docker/venv.Dockerfile |   5 ++-
 scripts/.profile       |   2 +-
 snekbox.cfg            | 118 -------------------------------------------------
 snekbox/nsjail.py      |   4 +-
 7 files changed, 127 insertions(+), 124 deletions(-)
 create mode 100644 config/snekbox.cfg
 delete mode 100644 snekbox.cfg

diff --git a/.dockerignore b/.dockerignore
index 4f43e08..d030b2f 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -3,7 +3,7 @@
 
 # Make exceptions for what's needed
 !snekbox
-!snekbox.cfg
+!config/
 !tests
 !Pipfile
 !Pipfile.lock
diff --git a/README.md b/README.md
index f12d236..70a029b 100644
--- a/README.md
+++ b/README.md
@@ -144,7 +144,7 @@ The alias can be found in `./scripts/.profile`, which is automatically added whe
 
 [1]: https://dev.azure.com/python-discord/Python%20Discord/_apis/build/status/Snekbox?branchName=master
 [2]: https://dev.azure.com/python-discord/Python%20Discord/_build/latest?definitionId=13&branchName=master
-[`snekbox.cfg`]: snekbox.cfg
+[`snekbox.cfg`]: config/snekbox.cfg
 [`snekapi.py`]: snekbox/api/snekapi.py
 [`resources`]: snekbox/api/resources
 [`docker run`]: https://docs.docker.com/engine/reference/commandline/run/
diff --git a/config/snekbox.cfg b/config/snekbox.cfg
new file mode 100644
index 0000000..38f3ade
--- /dev/null
+++ b/config/snekbox.cfg
@@ -0,0 +1,118 @@
+name: "snekbox"
+description: "Execute Python"
+
+mode: ONCE
+hostname: "snekbox"
+cwd: "/snekbox"
+
+time_limit: 6
+
+keep_env: false
+envar: "LANG=en_US.UTF-8"
+envar: "OMP_NUM_THREADS=1"
+envar: "OPENBLAS_NUM_THREADS=1"
+envar: "MKL_NUM_THREADS=1"
+envar: "VECLIB_MAXIMUM_THREADS=1"
+envar: "NUMEXPR_NUM_THREADS=1"
+
+keep_caps: false
+
+rlimit_as: 700
+
+clone_newnet: true
+clone_newuser: true
+clone_newns: true
+clone_newpid: true
+clone_newipc: true
+clone_newuts: true
+clone_newcgroup: true
+
+uidmap {
+    inside_id: "65534"
+    outside_id: "65534"
+}
+
+gidmap {
+    inside_id: "65534"
+    outside_id: "65534"
+}
+
+mount_proc: false
+
+mount {
+    src: "/etc/ld.so.cache"
+    dst: "/etc/ld.so.cache"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/lib"
+    dst: "/lib"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/lib64"
+    dst: "/lib64"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/snekbox"
+    dst: "/snekbox"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/usr/lib"
+    dst: "/usr/lib"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/usr/local/lib"
+    dst: "/usr/local/lib"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/usr/local/bin/python"
+    dst: "/usr/local/bin/python"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/usr/local/bin/python3"
+    dst: "/usr/local/bin/python3"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/usr/local/bin/python3.8"
+    dst: "/usr/local/bin/python3.8"
+    is_bind: true
+    rw: false
+}
+
+cgroup_mem_max: 52428800
+cgroup_mem_mount: "/sys/fs/cgroup/memory"
+cgroup_mem_parent: "NSJAIL"
+
+cgroup_pids_max: 1
+cgroup_pids_mount: "/sys/fs/cgroup/pids"
+cgroup_pids_parent: "NSJAIL"
+
+iface_no_lo: true
+
+exec_bin {
+    path: "/usr/local/bin/python"
+    arg: "-Iqu"
+}
diff --git a/docker/venv.Dockerfile b/docker/venv.Dockerfile
index fe5b10d..5c0fcfc 100644
--- a/docker/venv.Dockerfile
+++ b/docker/venv.Dockerfile
@@ -6,7 +6,7 @@ ENV PIP_NO_CACHE_DIR=false \
     PIPENV_HIDE_EMOJIS=1 \
     PIPENV_NOSPIN=1
 
-COPY Pipfile Pipfile.lock snekbox.cfg /snekbox/
+COPY Pipfile Pipfile.lock /snekbox/
 WORKDIR /snekbox
 
 RUN if [ -n "${DEV}" ]; \
@@ -15,3 +15,6 @@ RUN if [ -n "${DEV}" ]; \
     else \
         pipenv install --deploy --system; \
     fi
+
+# At the end to avoid re-installing dependencies when only a config changes.
+COPY config/ /snekbox/config
diff --git a/scripts/.profile b/scripts/.profile
index 69ad959..9bf8e09 100644
--- a/scripts/.profile
+++ b/scripts/.profile
@@ -15,7 +15,7 @@ nsjpy() {
     echo "${MEM_MAX}" > /sys/fs/cgroup/memory/NSJAIL/memory.memsw.limit_in_bytes
 
     nsjail \
-        --config "${NSJAIL_CFG:-/snekbox/snekbox.cfg}" \
+        --config "${NSJAIL_CFG:-/snekbox/config/snekbox.cfg}" \
         $nsj_args -- \
         /usr/local/bin/python -Iqu -c "$@"
 }
diff --git a/snekbox.cfg b/snekbox.cfg
deleted file mode 100644
index 38f3ade..0000000
--- a/snekbox.cfg
+++ /dev/null
@@ -1,118 +0,0 @@
-name: "snekbox"
-description: "Execute Python"
-
-mode: ONCE
-hostname: "snekbox"
-cwd: "/snekbox"
-
-time_limit: 6
-
-keep_env: false
-envar: "LANG=en_US.UTF-8"
-envar: "OMP_NUM_THREADS=1"
-envar: "OPENBLAS_NUM_THREADS=1"
-envar: "MKL_NUM_THREADS=1"
-envar: "VECLIB_MAXIMUM_THREADS=1"
-envar: "NUMEXPR_NUM_THREADS=1"
-
-keep_caps: false
-
-rlimit_as: 700
-
-clone_newnet: true
-clone_newuser: true
-clone_newns: true
-clone_newpid: true
-clone_newipc: true
-clone_newuts: true
-clone_newcgroup: true
-
-uidmap {
-    inside_id: "65534"
-    outside_id: "65534"
-}
-
-gidmap {
-    inside_id: "65534"
-    outside_id: "65534"
-}
-
-mount_proc: false
-
-mount {
-    src: "/etc/ld.so.cache"
-    dst: "/etc/ld.so.cache"
-    is_bind: true
-    rw: false
-}
-
-mount {
-    src: "/lib"
-    dst: "/lib"
-    is_bind: true
-    rw: false
-}
-
-mount {
-    src: "/lib64"
-    dst: "/lib64"
-    is_bind: true
-    rw: false
-}
-
-mount {
-    src: "/snekbox"
-    dst: "/snekbox"
-    is_bind: true
-    rw: false
-}
-
-mount {
-    src: "/usr/lib"
-    dst: "/usr/lib"
-    is_bind: true
-    rw: false
-}
-
-mount {
-    src: "/usr/local/lib"
-    dst: "/usr/local/lib"
-    is_bind: true
-    rw: false
-}
-
-mount {
-    src: "/usr/local/bin/python"
-    dst: "/usr/local/bin/python"
-    is_bind: true
-    rw: false
-}
-
-mount {
-    src: "/usr/local/bin/python3"
-    dst: "/usr/local/bin/python3"
-    is_bind: true
-    rw: false
-}
-
-mount {
-    src: "/usr/local/bin/python3.8"
-    dst: "/usr/local/bin/python3.8"
-    is_bind: true
-    rw: false
-}
-
-cgroup_mem_max: 52428800
-cgroup_mem_mount: "/sys/fs/cgroup/memory"
-cgroup_mem_parent: "NSJAIL"
-
-cgroup_pids_max: 1
-cgroup_pids_mount: "/sys/fs/cgroup/pids"
-cgroup_pids_parent: "NSJAIL"
-
-iface_no_lo: true
-
-exec_bin {
-    path: "/usr/local/bin/python"
-    arg: "-Iqu"
-}
diff --git a/snekbox/nsjail.py b/snekbox/nsjail.py
index c6a81b1..cafde6d 100644
--- a/snekbox/nsjail.py
+++ b/snekbox/nsjail.py
@@ -24,7 +24,7 @@ CGROUP_PIDS_PARENT = Path("/sys/fs/cgroup/pids/NSJAIL")
 CGROUP_MEMORY_PARENT = Path("/sys/fs/cgroup/memory/NSJAIL")
 
 NSJAIL_PATH = os.getenv("NSJAIL_PATH", "/usr/sbin/nsjail")
-NSJAIL_CFG = os.getenv("NSJAIL_CFG", "./snekbox.cfg")
+NSJAIL_CFG = os.getenv("NSJAIL_CFG", "./config/snekbox.cfg")
 MEM_MAX = 52428800
 
 
@@ -32,7 +32,7 @@ class NsJail:
     """
     Core Snekbox functionality, providing safe execution of Python code.
 
-    See snekbox.cfg for the default NsJail configuration.
+    See config/snekbox.cfg for the default NsJail configuration.
     """
 
     def __init__(self, nsjail_binary: str = NSJAIL_PATH, python_binary: str = sys.executable):
-- 
cgit v1.2.3