优化部分设置

QingdaoU · Oct 15, 2016 · 830159a · 830159a
1 parent c5bed7e
commit 830159a
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 20 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,19 +3,14 @@ ENV DEBIAN_FRONTEND noninteractive
 RUN rm /etc/apt/sources.list
 COPY deploy/sources.list /etc/apt/
 RUN apt-get update
-RUN apt-get -y install software-properties-common python-software-properties python python-dev gcc g++ git libtool python-pip libseccomp-dev cmake
-RUN add-apt-repository -y ppa:webupd8team/java
-RUN echo debconf shared/accepted-oracle-license-v1-1 select true | sudo debconf-set-selections
-RUN echo debconf shared/accepted-oracle-license-v1-1 seen true | sudo debconf-set-selections
-RUN apt-get update
-RUN apt-get install -y oracle-java7-installer
+RUN apt-get -y install software-properties-common python-software-properties python python-dev gcc g++ git libtool python-pip libseccomp-dev cmake openjdk-7-jdk
 RUN cd /tmp && git clone https://github.com/QingdaoU/Judger && cd Judger && git checkout newnew && mkdir build && cd build && cmake .. && make && make install && cd ../bindings/Python && python setup.py install
 RUN pip install psutil gunicorn web.py requests
 RUN mkdir -p /judger_run /test_case /log /code
 COPY deploy/java_policy /etc
-RUN chmod -R 777 /judger_run
 RUN pip install futures psutil gunicorn web.py
+RUN useradd -r compiler
 HEALTHCHECK --interval=5s --retries=3 CMD python /code/service.py
 WORKDIR /code
 EXPOSE 8080
-CMD chown -R nobody:nogroup /spj; gunicorn --workers 4 --threads 4 --error-logfile /log/gunicorn.log --bind 0.0.0.0:8080 server:wsgiapp
+CMD chown compiler:compiler /spj; gunicorn --workers 4 --threads 4 --error-logfile /log/gunicorn.log --bind 0.0.0.0:8080 server:wsgiapp
diff --git a/compiler.py b/compiler.py
@@ -7,7 +7,7 @@
 
 import _judger
 
-from config import COMPILER_LOG_PATH, LOW_PRIVILEDGE_UID, LOW_PRIVILEDGE_GID
+from config import COMPILER_LOG_PATH, COMPILER_USER_UID, COMPILER_GROUP_GID
 from exception import CompileError
 
 
@@ -33,8 +33,8 @@ def compile(self, compile_config, src_path, output_dir):
                              env=[("PATH=" + os.getenv("PATH")).encode("utf-8")],
                              log_path=COMPILER_LOG_PATH,
                              seccomp_rule_name=None,
-                             uid=LOW_PRIVILEDGE_UID,
-                             gid=LOW_PRIVILEDGE_GID)
+                             uid=COMPILER_USER_UID,
+                             gid=COMPILER_GROUP_GID)
 
         if result["result"] != _judger.RESULT_SUCCESS:
             if os.path.exists(compiler_out):

diff --git a/config.py b/config.py
@@ -11,8 +11,11 @@
 COMPILER_LOG_PATH = os.path.join(LOG_BASE, "compile.log").encode("utf-8")
 JUDGER_RUN_LOG_PATH = os.path.join(LOG_BASE, "judger.log").encode("utf-8")
 
-LOW_PRIVILEDGE_UID = pwd.getpwnam("nobody").pw_uid
-LOW_PRIVILEDGE_GID = grp.getgrnam("nogroup").gr_gid
+RUN_USER_UID = pwd.getpwnam("nobody").pw_uid
+RUN_GROUP_GID = grp.getgrnam("nogroup").gr_gid
+
+COMPILER_USER_UID = pwd.getpwnam("compiler").pw_uid
+COMPILER_GROUP_GID = grp.getgrnam("compiler").gr_gid
 
 TEST_CASE_DIR = "/test_case"
 SPJ_SRC_DIR = "/spj"

diff --git a/docker-compose.example.yml b/docker-compose.example.yml
@@ -4,6 +4,13 @@ services:
         image: judge_server
         cpu_quota: 90000
         read_only: true
+        cap_drop:
+            - SETPCAP
+            - MKNOD
+            - NET_BIND_SERVICE
+            - SYS_CHROOT
+            - SETFCAP
+            - FSETID
         tmpfs:
             - /tmp
             - /judger_run:exec,mode=777
@@ -15,7 +22,6 @@ services:
         environment:
             - judger_token=token
             - service_discovery_url=https://virusdefender.net/service.php
-            - service_url=http://1.2.3.4:12345
-            - judger_debug=1
+            - service_url=http://1.2.3.4:12358
         ports:
             - "0.0.0.0:12358:8080"
diff --git a/judge_client.py b/judge_client.py
@@ -8,7 +8,7 @@
 
 from multiprocessing import Pool
 
-from config import TEST_CASE_DIR, JUDGER_RUN_LOG_PATH, LOW_PRIVILEDGE_GID, LOW_PRIVILEDGE_UID, SPJ_EXE_DIR
+from config import TEST_CASE_DIR, JUDGER_RUN_LOG_PATH, RUN_GROUP_GID, RUN_USER_UID, SPJ_EXE_DIR
 from exception import JudgeClientError
 
 
@@ -79,8 +79,8 @@ def _spj(self, in_file_path, user_out_file_path):
                              env=[("PATH=" + os.environ.get("PATH", "")).encode("utf-8")],
                              log_path=JUDGER_RUN_LOG_PATH,
                              seccomp_rule_name=seccomp_rule_name,
-                             uid=LOW_PRIVILEDGE_UID,
-                             gid=LOW_PRIVILEDGE_GID)
+                             uid=RUN_USER_UID,
+                             gid=RUN_GROUP_GID)
 
         if result["result"] == _judger.RESULT_SUCCESS or \
                 (result["result"] == _judger.RESULT_RUNTIME_ERROR and
@@ -111,8 +111,8 @@ def _judge_one(self, test_case_file_id):
                                  env=env,
                                  log_path=JUDGER_RUN_LOG_PATH,
                                  seccomp_rule_name=seccomp_rule_name,
-                                 uid=LOW_PRIVILEDGE_UID,
-                                 gid=LOW_PRIVILEDGE_GID)
+                                 uid=RUN_USER_UID,
+                                 gid=RUN_GROUP_GID)
         run_result["test_case"] = test_case_file_id
 
         # if progress exited normally, then we should check output result