nickygerritsen
commented
4 years ago Very cool. I think @ubergeek42 is the person inside our team who is best to look into this.
Open rmartinsanta opened 4 years ago
nickygerritsen
commented
4 years ago Very cool. I think @ubergeek42 is the person inside our team who is best to look into this.
LDAP
commented
3 years ago I did some tests with docker swarm to ease deployment and judgehost scaling. Also I did work around the privileged judgehost by using a laucher image with DinD.
You can follow the development here: https://github.com/LDAP/domjudge-docker-stack
jeremy-london
commented
3 years ago @LDAP do you have any links to the DinD Judgehost replacement (Very intrested)? Does it need to run with a --privileged flag?
LDAP
commented
3 years ago @LDAP do you have any links to the DinD Judgehost replacement (Very intrested)? Does it need to run with a
--privilegedflag?
Have a look at my compose file regarding the judge service. The judge docker itself runs with --privileged in a container without --privileged. Short answer: The Judge ITSELF does.
Edit: Made consequence more clear
nickygerritsen
commented
3 years ago @LDAP do you have any links to the DinD Judgehost replacement (Very intrested)? Does it need to run with a
--privilegedflag?Have a look at my compose file regarding the judge service. The judge docker itself runs with --privileged in a container without --privileged. Short answer: It does not.
However, you do mount the /var/run/docker.sock volume inside that outside Docker container, which allows you to run anything you want inside it, including --privileged containers, which as far as I know basically makes this outside container 'privileged' as well.
LDAP
commented
3 years ago @LDAP do you have any links to the DinD Judgehost replacement (Very intrested)? Does it need to run with a
--privilegedflag?Have a look at my compose file regarding the judge service. The judge docker itself runs with --privileged in a container without --privileged. Short answer: It does not.
However, you do mount the
/var/run/docker.sockvolume inside that outside Docker container, which allows you to run anything you want inside it, including--privilegedcontainers, which as far as I know basically makes this outside container 'privileged' as well.
That is correct. I know no easy way using "real" dind without --privileged. However there are solutions out there providing exactly what you want (but I never used one of them).
Context: After some tests & small contests, we are starting to use Domjudge a lot more. We are planning to host the AdaByron (an Spanish competitive programming contest http://ada-byron.es/) this year, so the objective was to simplify the deployment and maintenance of DomJudge as much as possible, so you may create your own instance without a deep knowledge of Domjudge or Docker internals.
All the customizations for our use case can be seen in the following repo: https://github.com/rmartinsanta/domjudge-automation.
Steps to test:
git clone https://github.com/rmartinsanta/domjudge-automation)./install-domjudge.sh)The installation script will do all the tedious tasks, and give further instructions when finished. There is a monitoring stack ready to use (
cd mon-template && docker-compose up -d), that will expose Grafana on port 3000.There is one thing I do not like but I have not found an alternative way to do it: I am exposing the docker socket to the judgehost container (needed to dinamically assign a CPU ID), but as the container is already privileged, I do not think it is dangerous from a security point of view, correct me if I am wrong.
I would like to known your opinion about it, which parts would you like to add to this repo (so I can open a PR with them), what could be improved, etc.