发表新帖
发表新帖

Docker timeout for container?

后端 未结
关注
4 1601
旧巷少年郎
旧巷少年郎 2021-01-31 09:18

For my dissertation at University, I\'m working on a coding leaderboard system where users can compile / run untrusted code through temporary docker containers. The system seems

相关标签:
4条回答
  • 别那么骄傲
    2021-01-31 09:38

    If you want to run the containers without providing any protection inside them, you can use runtime constraints on resources.

    In your case, -m 100M --cpu-quota 50000 might be reasonable.

    That way it won't eat up the parent's system resources until you get around to killing it.

    0 讨论(0)
  • 情书的邮戳
    2021-01-31 09:39

    I guess, you can use signals in python like unix to set timeout. you can use alarm of specific time say 50 seconds and catch it. Following link might help you. signals in python

    0 讨论(0)
  • 忘了有多久
    2021-01-31 09:42

    I have achieved a solution for this problem.

    First you must kill docker container when time limit is achieved:

    #!/bin/bash
set -e
did=$(docker run -it -d -v "/my_real_path/$1":/usercode virtual_machine ./usercode/compilerun.sh 2>> $1/error.txt)
sleep 10 && docker kill $did &> /dev/null && echo -n "timeout" >> $1/error.txt &
docker wait "$did" &> /dev/null
docker rm -f $ &> /dev/null

    The container runs in detached mode (-d option), so it runs in the background. Then you run sleep also in the background. Then wait for the container to stop. If it doesnt stop in 10 seconds (sleep timer), the container will be killed.

    As you can see, the docker run process calls a script named compilerun.sh:

    #!/bin/bash
gcc -o /usercode/file /usercode/file.c 2> /usercode/error.txt && ./usercode/file < /usercode/input.txt | head -c 1M > /usercode/output.txt
maxsize=1048576
actualsize=$(wc -c <"/usercode/output.txt")
if [ $actualsize -ge $maxsize ]; then
    echo -e "1MB file size limit exceeded\n\n$(cat /usercode/output.txt)" > /usercode/output.txt
fi

    It starts by compiling and running a C program (its my use case, I am sure the same can be done for python compiller).

    This part:

    command | head -c 1M > /usercode/output.txt

    Is responsible for the max output size thing. It allows output to be 1MB maximum.

    After that, I just check if file is 1MB. If true, write a message inside (at the beginning of) the output file.

    0 讨论(0)
  • 心在旅途
    2021-01-31 09:52

    You could set up your container with a ulimit on the max CPU time, which will kill the looping process. A malicious user can get around this, though, if they're root inside the container.

    There's another S.O. question, "Setting absolute limits on CPU for Docker containers" that describes how to limit the CPU consumption of containers. This would allow you to reduce the effect of malicious users.

    I agree with Abdullah, though, that you ought to be able to docker kill the runaway from your supervisor.

    0 讨论(0)
 看不清?
提交回复
热议问题