Support for Docker

[raviprakash007]

Hi Team, Is there any plan to support the Docker container? Multiple people are waiting for this feature. Due to absence of the support, we are stuck in implementing an online programming test project (Judge0).

[ntut-xuan]

I think it already supported on docker. You need to create a container with privileged.

See: https://github.com/ntut-xuan/NuOJ-Sandbox/blob/main/Dockerfile See also: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

[gollux]

We do not plan to support running Isolate in containers.

First, we aim for maximum security and the interaction between Docker (or other hypervisor) and any other use of cgroups and namespaces is too complex for us to be confident that it is secure.

Second, Isolate's primary purpose is testing of programs in programming contests. In this setting, precise measurement of run time is crucial and anything else running on the same machine influences run times. Therefore the recommended setup is to use a dedicated machine for testing. This makes any containerization or virtualization pretty much pointless.

Isolate probably runs in containers if they are privileged enough (there are some success reports with privileged Docker), but you are on your own.

[raviprakash007]

Perfect, Can isolate Dockerized images run on k8?

[raviprakash007]

I think it already supported on docker. You need to create a container with privileged.

See: https://github.com/ntut-xuan/NuOJ-Sandbox/blob/main/Dockerfile See also: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

Will the image work on kubernetes?

[ntut-xuan]

I think it already supported on docker. You need to create a container with privileged. See: https://github.com/ntut-xuan/NuOJ-Sandbox/blob/main/Dockerfile See also: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

Will the image work on kubernetes?

I perviously test it on k8s and it work. But as @gollux said it may not confirm that it's secure to isolate the real environment.

[raviprakash007]

I think it already supported on docker. You need to create a container with privileged. See: https://github.com/ntut-xuan/NuOJ-Sandbox/blob/main/Dockerfile See also: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

Will the image work on kubernetes?

I perviously test it on k8s and it work. But as @gollux said it may not confirm that it's secure to isolate the real environment.

How many languages does it support? Also, Do we need host machine to support CG-v1 or isolate image?

[ntut-xuan]

How many languages does it support?

I think it doesn't matter about language. If it can install and work on Ubuntu, it should be work.

Do we need host machine to support CG-v1 or isolate image?

You should make sure the host is supported Control Group v1, or waiting isolate supported Control Group v2.

[raviprakash007]

I have kubernetes cluster. How can I make sure that it is having CG-v1 Enabled?

[ntut-xuan]

I have kubernetes cluster. How can I make sure that it is having CG-v1 Enabled?

I think that the kubernates CGroup will depend on your host CGroup (Since CGroup is kernel-level architecture), you just need to configure your host to use CGroup v1.

[raviprakash007]

I was trying to run your repo but perhaps, its isolate master branch has moved to support CG-v2. So compilation is failing

=> ERROR [sandbox 16/20] RUN make install 0.1s

---

[sandbox 16/20] RUN make install:
0.094 Package libsystemd was not found in the pkg-config search path.
0.094 Perhaps you should add the directory containing libsystemd.pc' 0.094 to the PKG_CONFIG_PATH environment variable 0.094 No package 'libsystemd' found 0.095 Package libsystemd was not found in the pkg-config search path. 0.095 Perhaps you should add the directory containinglibsystemd.pc' 0.095 to the PKG_CONFIG_PATH environment variable 0.095 No package 'libsystemd' found 0.095 gcc -std=gnu99 -Wall -Wextra -Wno-parentheses -Wno-unused-result -Wno-missing-field-initializers -Wstrict-prototypes -Wmissing-prototypes -D_GNU_SOURCE -c -o isolate-cg-keeper.o isolate-cg-keeper.c 0.108 isolate-cg-keeper.c:15:10: fatal error: systemd/sd-daemon.h: No such file or directory 0.108 15 | #include <systemd/sd-daemon.h> 0.108 | ^~~~~ 0.108 compilation terminated. 0.109 make: *** [Makefile:38: isolate-cg-keeper.o] Error 1

[ntut-xuan]

ok.

[raviprakash007]

Please update the Dockerfile with the following line, (before you clone isolate)

https://github.com/ntut-xuan/NuOJ-Sandbox/blob/main/Dockerfile

RUN apt install -y libpcap-dev && apt install -y libsystemd-dev