Closed vikasdeepjangra closed 6 months ago
How do you expect node
to find index.js
?
I'm thinking that I've mounted /home/UserName/POC/testing-isolate/mount-point/cppCode this directory cppCode in my box so the path in box is isolate/{box_Id}/index.js and I'm running /usr/bin/node index.js
No, it doesn't work this way. If you mount the directory without specifying the mount point, the path in the sandbox is equal to the path outside.
Then how can I mount a directory inside my sandbox? what is this specifying the mount point?
Hey @gollux
Can I create an isolate box inside an already existing specific directory ?
Eg: I want to create a box inside /home/ubuntu/123
instead of /var/local/lib/isolate/123/
is there a way to do this ?
Why am I asking this ?
I have built my own code execution system and the user's code is stored in EFS.
I am mounting EFS (File Storage) into our ECS and I am currently running all my user's programs directly from that path.
I was exploring isolate and chroot jail
What can I do / What do you suggest ?
Hey @gollux
Can I create an isolate box inside an already existing specific directory ?
Eg: I want to create a box inside
/home/ubuntu/123
instead of/var/local/lib/isolate/123/
is there a way to do this ?
If you are asking what I think you're asking, it's possible to change box_root
in default.cf
. Beware of the danger mentioned in the comment above the line, however. If you believe it's safe, feel free to change it like this
Why am I asking this ?
I have built my own code execution system and the user's code is stored in EFS.
I am mounting EFS (File Storage) into our ECS and I am currently running all my user's programs directly from that path.
I was exploring isolate and chroot jail
- I don't want to copy files from EFS to my ECS's isolate box on everyrun(Need to refactor a lot and every execution will have some delay)
You can write a caching mechanism for evaluation files to save them "offline". This is what I also intend to do in my online judge when i'll separate the main logic from the grader.
- I don't want to use chroot jail because , let's say I have a chroot jail for each user, then on each user's directory I have to copy useful stuff like bin, lib lib64 etc.
If you use isolate, it creates bind mounts of directories like lib, lib64, bin, etc, while creating a chroot jail. As such, you don't need to copy files each time, only the "working files" (inputs, user code, etc) in the box's box/
directory and run the given command!
Can I create an isolate box inside an already existing specific directory?
You can do it, but the directory (and all its ancestors) must be owned by root and writeable by nobody else. Otherwise it's not secure. See box_root
in Isolate's configuration file and the comments beside it.
You could ask Isolate for a read-only bind mount of another directory to the sandbox. But never anything writeable.
Then how can I mount a directory inside my sandbox? what is this specifying the mount point?
Please look at the description of --dir
in Isolate's man page.
Then how can I mount a directory inside my sandbox? what is this specifying the mount point?
I suggest reading the official manpage for more details. If you want to bind it inside the box directory, you first have to create the directory before running the command (if you mount it inside the box root, this isn't required).
I haven't tested, but your new command would likely be: isolate --dir=/home/UserName/POC/testing-isolate/mount-point/cppCode=/box/cppCode --run /usr/bin/node /index.js
, since you have isolate/{box_Id}/index.js
like you said. Note that the working directory will actually be inside isolate/{box_Id}/box/
! (as viewed from outside the box, inside the jail it would be viewed as /box/
)
Then how can I mount a directory inside my sandbox? what is this specifying the mount point?
I suggest reading the official manpage for more details. If you want to bind it inside the box directory, you first have to create the directory before running the command (if you mount it inside the box root, this isn't required). I haven't tested, but your new command would likely be:
isolate --dir=/home/UserName/POC/testing-isolate/mount-point/cppCode=/box/cppCode --run /usr/bin/node /index.js
, since you haveisolate/{box_Id}/index.js
like you said. Note that the working directory will actually be insideisolate/{box_Id}/box/
! (as viewed from outside the box, inside the jail it would be viewed as/box/
)
For a usecase where a user should import other classes/files in his program , this won't work right ?
Since the box will mostly be empty and will be running index.js inside the box
Hey @gollux Can I create an isolate box inside an already existing specific directory ? Eg: I want to create a box inside
/home/ubuntu/123
instead of/var/local/lib/isolate/123/
is there a way to do this ?If you are asking what I think you're asking, it's possible to change
box_root
indefault.cf
. Beware of the danger mentioned in the comment above the line, however. If you believe it's safe, feel free to change it like this
I want this to be dynamic , Like I explained in my original comment, we store users code in efs and each user's code will be stored in a different directory. I want to basically directly execute their code from that efs directory
Basically create a box inside that efs mount point directory
For a usecase where a user should import other classes/files in his program , this won't work right ? Since the box will mostly be empty and will be running index.js inside the box
Well, you can mount that user's directory inside the box. Also, you can add the --chdir=<dir>
flag to cd
into that directory before executing index.js, so it doesn't really hold.
I want this to be dynamic , Like I explained in my original comment, we store users code in efs and each user's code will be stored in a different directory. I want to basically directly execute their code from that efs directory
If it's like you said previously, /home/ubuntu/1234
(each user has a folder with a numerical ID), then you can add the --box-id=1234
flag (just set num_boxes
in default.cf
to a high amount, first).
I believe your intentions of moving isolate's directory are, however, flawed to begin with. You can probably mount the user directory into the box (like i answered to the other person above) and work with it from there. This requires no copying of files from EFS to disk, however reads/writes are still done inside a network and might impact performance, so a local evaluation would still be the most accurate in the end, if you want to set time limits.
I believe that this is not an issue with Isolate itself, so I am closing it. If you find any other problem, please re-open it.
So basically, I've a directory called mount-point. I want to mount a single directory which is inside this mount-point, i.e, mount-point/cppCode. I want to mount cppCode inside the isolate box. I tried doing this:
isolate --dir=/home/UserName/POC/testing-isolate/mount-point/cppCode --run /usr/bin/node index.js
But this is not working.
PS: cppCode has a file called index.js which I want to run