refs #44, #45, #46: Update C/C++/Java kernels

 * Rename "java" to "java8"
 * java8 kernel image now uses the Alpine Linux's openjdk package for faster builds
 * Removed no-longer necessary chmod commands in C/C++ kernels

c/Dockerfile

@@ -4,13 +4,11 @@ MAINTAINER DevOps "[email protected]"
 # Install minimal C compile environments
 RUN apk add --no-cache gcc musl-dev
 
-# Install Python packages
-RUN pip install --no-cache-dir aiozmq
-
 COPY run.py /home/sorna/run.py
 COPY policy.yml /home/sorna/policy.yml
-COPY patch-libs.so /home/sorna/patch-libs.so
-COPY base_run.py /home/sorna/base_run.py
+#COPY patch-libs.so /home/sorna/patch-libs.so
+#COPY base_run.py /home/sorna/base_run.py
+
+LABEL io.sorna.features "batch query uid-match user-input"
 
-USER work
-CMD ["/home/sorna/sorna-jail", "-policy", "/home/sorna/policy.yml", "/usr/local/bin/python3", "/home/sorna/run.py"]
+CMD ["/home/sorna/jail", "-policy", "/home/sorna/policy.yml", "/usr/local/bin/python3", "/home/sorna/run.py"]

cpp/Dockerfile

@@ -1,13 +1,12 @@
 FROM lablup/kernel-base-python3-minimal:latest
 MAINTAINER DevOps "[email protected]"
 
-# Install Python packages
-RUN pip install --no-cache-dir aiozmq
-
 # Install minimal C++ compile environments
-RUN apk add --no-cache g++
+RUN apk add --no-cache g++ libstdc++
 
 COPY run.py /home/sorna/run.py
+COPY policy.yml /home/sorna/policy.yml
+
+LABEL io.sorna.features "batch query uid-match user-input"
 
-USER work
-CMD ["/home/sorna/jail", "python3", "/usr/local/bin/python3", "/home/sorna/run.py"]
+CMD ["/home/sorna/jail", "-policy", "/home/sorna/policy.yml", "/usr/local/bin/python3", "/home/sorna/run.py"]

cpp/policy.yml

@@ -0,0 +1,23 @@
+whitelist_paths:
+  OP_OPEN: ["*"]
+  OP_ACCESS: ["*"]
+  OP_EXEC: ["*"]
+  OP_STAT: ["*"]
+  OP_CHMOD: ["/home/work/*", "/tmp/*"]
+exec_allowance: -1
+fork_allowance: -1
+max_child_procs: 32
+extra_envs: []
+preserved_env_keys: [
+  "HOME", "PATH", "LANG",
+  "USER", "SHELL", "TERM",
+  "LD_LIBRARY_PATH",
+  "LD_PRELOAD",
+]
+
+diff_to_default: true
+
+# Following syscalls are blindly allowed.
+# IMPORTANT: ptrace MUST NOT be included!
+allowed_syscalls:
+  - "umask"

cpp/run.py

@@ -47,7 +47,7 @@ async def build(self, build_cmd):
                 cppfiles = Path('.').glob('**/*.cpp')
                 cppfiles = ' '.join(map(lambda p: shlex.quote(str(p)), cppfiles))
                 cmd = (f'g++ {cppfiles} {DEFAULT_CFLAGS} -o ./main {DEFAULT_LDFLAGS}; '
-                       f'chmod 755 ./main')
+                       f'./main')
                 await self.run_subproc(cmd)
             else:
                 log.error('cannot find build script ("Makefile") '
@@ -65,9 +65,9 @@ async def execute(self, exec_cmd):
             return
         elif exec_cmd == '*':
             if Path('./main').is_file():
-                await self.run_subproc('chmod 755 ./main; ./main')
+                await self.run_subproc('./main')
             elif Path('./a.out').is_file():
-                await self.run_subproc('chmod 755 ./a.out; ./a.out')
+                await self.run_subproc('./a.out')
             else:
                 log.error('cannot find executable ("a.out" or "main").')
         else:
@@ -82,7 +82,7 @@ async def query(self, code_text):
             tmpf.write(code_text.encode('utf8'))
             tmpf.flush()
             cmd = (f'g++ {tmpf.name} {DEFAULT_CFLAGS} -o ./main {DEFAULT_LDFLAGS} '
-                   f'&& chmod 755 ./main && ./main')
+                   f'&& ./main')
             await self.run_subproc(cmd)
 
 

java8/Dockerfile

@@ -0,0 +1,29 @@
+FROM lablup/kernel-base-python3-minimal:latest
+MAINTAINER DevOps "[email protected]"
+
+# Install Java compile environments
+# ref: https://github.com/docker-library/openjdk/blob/master/8-jdk/alpine/Dockerfile
+# You may need to check the Alpine package repository for latest OpenJDK package available.
+# ref: https://pkgs.alpinelinux.org/packages?name=openjdk8&branch=v3.6&repo=&arch=x86_64
+ENV JAVA_HOME /usr/lib/jvm/java-1.8-openjdk
+ENV PATH $PATH:/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/bin
+ENV JAVA_VERSION 8u131
+ENV JAVA_ALPINE_VERSION 8.131.11-r2
+RUN { \
+		echo '#!/bin/sh'; \
+		echo 'set -e'; \
+		echo; \
+		echo 'dirname "$(dirname "$(readlink -f "$(which javac || which java)")")"'; \
+	} > /usr/local/bin/docker-java-home \
+	&& chmod +x /usr/local/bin/docker-java-home
+RUN set -x \
+	&& apk add --no-cache \
+		openjdk8="$JAVA_ALPINE_VERSION" \
+	&& [ "$JAVA_HOME" = "$(docker-java-home)" ]
+
+COPY run.py /home/sorna/run.py
+COPY policy.yml /home/sorna/policy.yml
+
+LABEL io.sorna.features "batch query uid-match user-input"
+
+CMD ["/home/sorna/jail", "-policy", "/home/sorna/policy.yml", "/usr/local/bin/python3", "/home/sorna/run.py"]

java8/policy.yml

@@ -0,0 +1,23 @@
+whitelist_paths:
+  OP_OPEN: ["*"]
+  OP_ACCESS: ["*"]
+  OP_EXEC: ["*"]
+  OP_STAT: ["*"]
+  OP_CHMOD: ["/home/work/*", "/tmp/*"]
+exec_allowance: -1
+fork_allowance: -1
+max_child_procs: 32
+extra_envs: []
+preserved_env_keys: [
+  "HOME", "PATH", "LANG",
+  "USER", "SHELL", "TERM",
+  "LD_LIBRARY_PATH",
+  "LD_PRELOAD",
+]
+
+diff_to_default: true
+
+# Following syscalls are blindly allowed.
+# IMPORTANT: ptrace MUST NOT be included!
+allowed_syscalls:
+  - "umask"

java/run.py → java8/run.py

@@ -18,14 +18,17 @@
 
 JCC = 'javac'
 JCR = 'java'
-DEFAULT_JFLAGS = '-d .'
+
+# Let Java respect container resource limits
+DEFAULT_JFLAGS = '-XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -d .'
+
 CHILD_ENV = {
     'TERM': 'xterm',
     'LANG': 'C.UTF-8',
     'SHELL': '/bin/ash',
     'USER': 'work',
     'HOME': '/home/work',
-    'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/jdk/bin',
+    'PATH': '/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
 }
 
 

python2/Dockerfile

@@ -54,6 +54,7 @@ COPY policy.yml /home/sorna/
 COPY run.py /home/sorna/
 
 LABEL io.sorna.envs.corecount="OPENBLAS_NUM_THREADS,NPROC"
+LABEL io.sorna.features "query uid-match user-input"
 
 CMD ["/home/sorna/jail", "-policy", "/home/sorna/policy.yml", "/usr/local/bin/python", "/home/sorna/run.py"]
 

python3/Dockerfile

@@ -51,6 +51,7 @@ COPY policy.yml /home/sorna/
 COPY run.py /home/sorna/
 
 LABEL io.sorna.envs.corecount="OPENBLAS_NUM_THREADS,NPROC"
+LABEL io.sorna.features "batch query uid-match user-input"
 
 CMD ["/home/sorna/jail", "-policy", "/home/sorna/policy.yml", "/usr/local/bin/python3", "/home/sorna/run.py"]