shell/Dockerfile.sandbox at master · oneearedrabbit/shell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
FROM python:3.9-slim-buster as builder
RUN apt-get -y update \
    && apt-get install -y \
        bison=2:3.3.* \
        flex=2.6.* \
        g++=4:8.3.* \
        gcc=4:8.3.* \
        git=1:2.20.* \
        libprotobuf-dev=3.6.* \
        libnl-route-3-dev=3.4.* \
        make=4.2.* \
        pkg-config=0.29-6 \
        protobuf-compiler=3.6.*
RUN git clone \
    -b '2.9' \
    --single-branch \
    --depth 1 \
    https://github.com/google/nsjail.git /nsjail
WORKDIR /nsjail
RUN make

# ------------------------------------------------------------------------------
FROM python:3.9-slim-buster as base

# Everything will be a user install to allow sandbox's dependencies to be kept
# separate from the packages exposed during eval.
ENV PATH=/root/.local/bin:$PATH \
    PIP_NO_CACHE_DIR=false \
    PIP_USER=1 \
    PIPENV_DONT_USE_PYENV=1 \
    PIPENV_HIDE_EMOJIS=1 \
    PIPENV_NOSPIN=1

RUN apt-get -y update \
    && apt-get install -y \
        gcc=4:8.3.* \
        libnl-route-3-200=3.4.* \
        libprotobuf17=3.6.* \
        supervisor \
    && rm -rf /var/lib/apt/lists/*
RUN pip install pipenv==2020.11.15

COPY --from=builder /nsjail/nsjail /usr/sbin/
RUN chmod +x /usr/sbin/nsjail

ADD diggy-sandbox/docker/supervisord.conf /etc/
RUN mkdir -p /etc/supervisor/conf.d

# ------------------------------------------------------------------------------
FROM base as venv

COPY diggy-sandbox/Pipfile diggy-sandbox/Pipfile.lock /sandbox/
WORKDIR /sandbox

# Pipenv installs to the default user site since PIP_USER is set.
RUN pipenv install --deploy --system

# This must come after the first pipenv command! From the docs:
# All RUN instructions following an ARG instruction use the ARG variable
# implicitly (as an environment variable), thus can cause a cache miss.

# TODO: refactor this, I don't like that pytest depends on a docker
# container

# ARG DEV

# Install numpy when in dev mode; one of the unit tests needs it.
# RUN if [ -n "${DEV}" ]; \
#     then \
#         pipenv install --deploy --system --dev \
#         && PYTHONUSERBASE=/opt/python/diggy pip install numpy~=1.20; \
#     fi

# ------------------------------------------------------------------------------
FROM venv as sandbox

# Install all additional dependencies here
RUN apt-get -y update \
    && apt-get install -y \
        curl \
        gnupg2 \
        procps \
        # Conda dependencies, see below
        # bzip2 \
        # ca-certificates \
        # libglib2.0-0 \
        # libsm6 \
        # libxext6 \
        # libxrender1 \
        # mercurial \
        # subversion \
        # wget \
    && rm -rf /var/lib/apt/lists/*

# == Python

# NOTE: I could not make conda work with nsjail, i.e. numpy fails with
# this error: Intel MKL FATAL ERROR: Cannot load <mkl-loader>. I am
# stuck, and if you manage to get it up and running, please let me
# know.

# ARG CONDA_VERSION=py38_4.9.2
# ARG CONDA_MD5=122c8c9beb51e124ab32a0fa6426c656

# ENV PATH /opt/conda/bin:$PATH

# # Based on https://github.com/ContinuumIO/docker-images
# RUN wget --quiet https://repo.anaconda.com/miniconda/Miniconda3-${CONDA_VERSION}-Linux-x86_64.sh -O miniconda.sh && \
#     echo "${CONDA_MD5}  miniconda.sh" > miniconda.md5 && \
#     if ! md5sum --status -c miniconda.md5; then exit 1; fi && \
#     mkdir -p /opt && \
#     sh miniconda.sh -b -p /opt/conda && \
#     rm miniconda.sh miniconda.md5 && \
#     ln -s /opt/conda/etc/profile.d/conda.sh /etc/profile.d/conda.sh && \
#     echo ". /opt/conda/etc/profile.d/conda.sh" >> ~/.bashrc && \
#     echo "conda activate base" >> ~/.bashrc && \
#     find /opt/conda/ -follow -type f -name '*.a' -delete && \
#     find /opt/conda/ -follow -type f -name '*.js.map' -delete && \
#     /opt/conda/bin/conda clean -afy
# RUN conda config --add channels intel
# RUN conda create --name diggy intelpython3_core python=3.7

# Pre-install Python packages

# SHELL ["conda", "run", "-n", "diggy", "/bin/bash", "-c"]

# RUN yes | conda install numpy \
#     matplotlib

# TODO: extract this to a post-install script, all additional packages
# must be living outside of the Dockerfile. e.g. docker exec -it
# <container> -v $(pwd)/post-install.sh:/post-install.sh
# /post-install.sh
RUN PYTHONUSERBASE=/opt/python/diggy pip install matplotlib \
  numpy

# == Ruby
# Based on https://github.com/ms-ati/docker-rvm/blob/master/Dockerfile
# I am not sure whether I like RVM approach more than a native Ruby
# package, but I am giving it a try.
ARG RVM_VERSION=stable
ENV RVM_VERSION=${RVM_VERSION}

# 3.0.0-preview1 was the latest available binary at the time of
# writting this Dockerfile
ARG RVM_RUBY_VERSION="3.0.0-preview1"
ENV RVM_RUBY_VERSION=${RVM_RUBY_VERSION}
ENV RVM_RUBY_DEFAULT=${RVM_RUBY_VERSION}

RUN mkdir ~/.gnupg \
 && chmod 700 ~/.gnupg \
 && echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf \
 && gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 \
                     7D2BAF1CF37B13E2069D6956105BD0E739499BDB \
 && curl -sSL https://raw.githubusercontent.com/rvm/rvm/${RVM_VERSION}/binscripts/rvm-installer -o rvm-installer \
 && curl -sSL https://raw.githubusercontent.com/rvm/rvm/${RVM_VERSION}/binscripts/rvm-installer.asc -o rvm-installer.asc \
 && gpg2 --verify rvm-installer.asc rvm-installer \
 && bash rvm-installer \
 && rm rvm-installer rvm-installer.asc \
 && echo "rvm_autoupdate_flag=2" >> /etc/rvmrc \
 && echo "rvm_silence_path_mismatch_check_flag=1" >> /etc/rvmrc \
 && echo "install: --no-document" > /etc/gemrc

SHELL ["/bin/bash", "--login", "-c"]

RUN echo "== docker-rvm: Installing ${RVM_RUBY_VERSION} ==" \
    && rvm install ${RVM_RUBY_VERSION} \
    && echo "== docker-rvm: Setting default ${RVM_RUBY_DEFAULT} ==" \
    && rvm use --default ${RVM_RUBY_DEFAULT} \
    && rvm cleanup all \
    && rm -rf /var/lib/apt/lists/*

# ------------------------------------------------------------------------------
FROM sandbox

WORKDIR /sandbox
COPY diggy-sandbox /sandbox
ADD diggy-sandbox/docker/web.conf /etc/supervisor/conf.d/

# Activate virtual envs like rvm
SHELL ["/bin/bash", "--login", "-c"]

ENTRYPOINT ["supervisord", "--nodaemon", "--configuration", "/etc/supervisord.conf"]