Sandbox builds with Docker

[smashwilson]

As per discussion on #34. Since it's basically an engine for running arbitrary code off the Internet, DCIY is, er, kind of a giant security hole. To mitigate this, let's run builds in Docker containers.

Some considerations:

• Docker doesn't run natively on Macs (or Windows), but in Vagrant container. It'll make setup a little more involved. Should script/bootstrap take care of platform detection and installation and everything?
• Users will need to configure docker to have a proper setup, as opposed to just using the native environment. Although we could do the fetch and the GitHub API communication with non-Docker commands, and just execute prepare and cibuild commands in Docker-land.

[cobyism]

I think what will be necessary is to create a new repo just for the vagrant/docker combination, and then have that environment set up to clone down this repo, and fire up the whole server in a sandboxed way, possibly running the server just inside a vagrant VM, but then running each of the CI’d repos workspaces in separate docker containers, so as to avoid malicious code accessing another checked-out project’s code sideways.

[cobyism]

Should script/bootstrap take care of platform detection and installation and everything?

Not in this repo, I don’t think. If we have a separate repo for the virtualisation, then let’s make all the stuff happen there with a bootstrap command of some sort.

[cobyism]

Just created a repo at cobyism/dciy-sandbox as a place to discuss and setup what’s needed. Added you as a collaborator there too :smiley: