Docker容器超时? [英] Docker timeout for container?
问题描述
在大学期间,我正在研究一个编码排行榜系统,用户可以通过临时docker容器编译/运行不受信任的代码。到目前为止,系统似乎运行良好,但是我面临的一个问题是,当提交无限循环的代码时,例如:
For my dissertation at University, I'm working on a coding leaderboard system where users can compile / run untrusted code through temporary docker containers. The system seems to be working well so far, but one problem I'm facing is that when code for an infinite loop is submitted, E.g:
while True:
print "infinite loop"
系统陷入困境。问题是,当我创建一个新的Docker容器时,Python解释器阻止docker杀死子容器,因为数据仍被打印到STDOUT(永远)。这导致docker吞噬所有可用系统资源的巨大漏洞,直到使用该系统的机器完全冻结为止(如下所示):
the system goes haywire. The problem is that when I'm creating a new docker container, the Python interpreter prevents docker from killing the child container as data is still being printed to STDOUT (forever). This leads to the huge vulnerability of docker eating up all available system resources until the machine using the system completely freezes (shown below):
所以我的问题是,是否有更好的方法来设置相对于我当前的方法,它实际上会杀死Docker容器并使我的系统安全在docker容器上超时(代码最初取自此处)?
So my question is, is there a better way of setting a timeout on a docker container than my current method that will actually kill the docker container and make my system secure (code originally taken from here)?
#!/bin/bash
set -e
to=$1
shift
cont=$(docker run --rm "$@")
code=$(timeout "$to" docker wait "$cont" || true)
docker kill $cont &> /dev/null
echo -n 'status: '
if [ -z "$code" ]; then
echo timeout
else
echo exited: $code
fi
echo output:
# pipe to sed simply for pretty nice indentation
docker logs $cont | sed 's/^/\t/'
docker rm $cont &> /dev/null
编辑:应用程序中的默认超时时间(传递给 $ to 变量)是 10s / 10秒。
The default timeout in my application (passed to the $to variable) is "10s" / 10 seconds.
我尝试过考虑将计时器和 sys.exit()直接添加到python源中,但这并不是一个切实可行的选择,因为它似乎不太安全,因为用户可以提交代码以防止其执行,这意味着问题仍然存在。哦,被论文困住的乐趣...:(
I've tried looking into adding a timer and sys.exit() to the python source directly, but this isn't really a viable option as it seems rather insecure because the user could submit code to prevent it from executing, meaning the problem would still persist. Oh the joys of being stuck on a dissertation... :(
推荐答案
您可以使用<$ c来设置容器$ c> ulimit 在最大CPU时间上,这将终止循环过程。但是,如果恶意用户位于容器内,则恶意用户可以解决此问题。
You could set up your container with a ulimit on the max CPU time, which will kill the looping process. A malicious user can get around this, though, if they're root inside the container.
还有另一个SO问题, 设置Docker容器的CPU绝对限制,它描述了如何限制容器的CPU消耗,这将使您减少恶意用户的影响。
There's another S.O. question, "Setting absolute limits on CPU for Docker containers" that describes how to limit the CPU consumption of containers. This would allow you to reduce the effect of malicious users.
我同意阿卜杜拉的观点,您应该能够 docker杀死上司的逃亡。
I agree with Abdullah, though, that you ought to be able to docker kill the runaway from your supervisor.
这篇关于Docker容器超时?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
