Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Docker timeout for container?

For my dissertation at University, I'm working on a coding leaderboard system where users can compile / run untrusted code through temporary docker containers. The system seems to be working well so far, but one problem I'm facing is that when code for an infinite loop is submitted, E.g:

while True:    print "infinite loop" 

the system goes haywire. The problem is that when I'm creating a new docker container, the Python interpreter prevents docker from killing the child container as data is still being printed to STDOUT (forever). This leads to the huge vulnerability of docker eating up all available system resources until the machine using the system completely freezes (shown below):

enter image description here

So my question is, is there a better way of setting a timeout on a docker container than my current method that will actually kill the docker container and make my system secure (code originally taken from here)?

#!/bin/bash set -e  to=$1 shift  cont=$(docker run --rm "$@") code=$(timeout "$to" docker wait "$cont" || true) docker kill $cont &> /dev/null echo -n 'status: ' if [ -z "$code" ]; then     echo timeout else     echo exited: $code fi  echo output: # pipe to sed simply for pretty nice indentation docker logs $cont | sed 's/^/\t/'  docker rm $cont &> /dev/null 

Edit: The default timeout in my application (passed to the $to variable) is "10s" / 10 seconds.


I've tried looking into adding a timer and sys.exit() to the python source directly, but this isn't really a viable option as it seems rather insecure because the user could submit code to prevent it from executing, meaning the problem would still persist. Oh the joys of being stuck on a dissertation... :(

like image 558
Joel Murphy Avatar asked Mar 09 '15 01:03

Joel Murphy


People also ask

Do docker containers run forever?

By default, containers run only as long as their default command executes but a common use case it´s to run them indefinitely for debugging and troubleshooting purposes.

What does IP 0.0 0.0 mean docker?

In the context of servers, 0.0.0.0 can mean "all IPv4 addresses on the local machine". If a host has two IP addresses, 192.168.1.1 and 10.1.2.1, and a server running on the host is configured to listen on 0.0.0.0, it will be reachable at both of those IP addresses.

Why does my docker container exit immediately?

You're running a shell in a container, but you haven't assigned a terminal: If you're running a container with a shell (like bash ) as the default command, then the container will exit immediately if you haven't attached an interactive terminal.

How do I make my docker container stay running?

Dockerfile Command to Keep the Container Running Method 1: You can use the -t (pseudo-tty) docker parameter to keep the container running. Method 2: You can run the container directly passing the tail command via arguments as shown below. Method 3: Another method is to execute a sleep command to infinity.


2 Answers

You could set up your container with a ulimit on the max CPU time, which will kill the looping process. A malicious user can get around this, though, if they're root inside the container.

There's another S.O. question, "Setting absolute limits on CPU for Docker containers" that describes how to limit the CPU consumption of containers. This would allow you to reduce the effect of malicious users.

I agree with Abdullah, though, that you ought to be able to docker kill the runaway from your supervisor.

like image 87
Nathaniel Waisbrot Avatar answered Sep 23 '22 19:09

Nathaniel Waisbrot


If you want to run the containers without providing any protection inside them, you can use runtime constraints on resources.

In your case, -m 100M --cpu-quota 50000 might be reasonable.

That way it won't eat up the parent's system resources until you get around to killing it.

like image 33
ctolsen Avatar answered Sep 23 '22 19:09

ctolsen