public/seccomp-sandbox
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

WS-207807 # Refine building flow

Browse Source
This commit is contained in:
huangqingming 2024-01-19 02:47:51 +00:00
parent a61b6721cd
commit 919ddf86d8
10 changed files with 71 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
build-x2t-sandbox-rule.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/bash
set -e
buildah bud --format=docker --security-opt label=disable --userns=host --network=host --rm=true --layers=true --memory=0 \
--tag jcr.jianguoyun.net.cn/onlyoffice/x2t-sandbox-rulegen-builder --file ./build/x2t-snadbox-rulegen-ubuntu.dockerfile .
cp -r ./x2t-sandbox-rulegen ./src
podman run --rm --security-opt label=disable --network=host \
--volume .:/app \
--workdir /app \
jcr.jianguoyun.net.cn/onlyoffice/x2t-sandbox-rulegen-builder \
bash -c "/root/.cargo/bin/cargo build --release --features tracing-mode"
rm -rf ./src/x2t-sandbox-rulegen
sudo docker run --rm \
--volume .:/app \
--workdir /app \
jcr.jianguoyun.net.cn/onlyoffice/x2t-sandbox-rulegen-builder \
bash -c 'bash /app/generate-sandbox-rule.sh /var/www/onlyoffice/documentserver/server/FileConverter/bin/x2t /app/target/release/x2t-sandbox /app/data'

12
build-x2t-sandbox.sh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/bash
set -e
buildah bud --format=docker --security-opt label=disable --userns=host --network=host --rm=true --layers=true --memory=0 \
--tag jcr.jianguoyun.net.cn/onlyoffice/x2r-sandbox-builder --file ./build/x2t-snadbox-ubuntu.dockerfile .
podman run --rm --security-opt label=disable --network=host \
--volume .:/app \
--workdir /app/src \
jcr.jianguoyun.net.cn/onlyoffice/x2r-sandbox-builder \
bash -c "/root/.cargo/bin/cargo build --release"

20
build/Dockerfile.static-build
View File

@ -1,20 +0,0 @@
ARG REGISTRY=docker.io
ARG BUILDER_BASE=library/rust:alpine
ARG RUNTIME_BASE=library/alpine:latest
FROM ${REGISTRY}/${BUILDER_BASE} as builder
RUN apk add --no-cache pkgconf libseccomp-static libseccomp-dev musl-dev
COPY . /src
WORKDIR /src
RUN cargo build --release
FROM ${REGISTRY}/${RUNTIME_BASE} as base
FROM base as runtime
COPY --from=builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
FROM ${REGISTRY}/${RUNTIME_BASE} as copy-to-data
FROM base as copy-to-data
COPY --from=builder /src/target/release/x2t-sandbox /x2t-sandbox
CMD ["cp", "-v", "/x2t-sandbox", "/data/x2t-sandbox"]

20
build/Dockerfile.ubuntu
View File

@ -1,20 +0,0 @@
ARG REGISTRY=docker.io
ARG BASE=library/ubuntu:20.04
FROM ${REGISTRY}/${BASE} as base
FROM base as builder
RUN ln -svf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && apt update && apt install build-essential libseccomp-dev curl pkg-config -y
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s - -y
COPY . /src
WORKDIR /src
RUN /root/.cargo/bin/cargo build --release
FROM base as runtime
RUN apt update && apt install libseccomp2 -y && rm -rf /var/apt
COPY --from=builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
FROM base as copy-to-data
COPY --from=builder /src/target/release/x2t-sandbox /x2t-sandbox
CMD ["cp", "-v", "x2t-sandbox", "/data/x2t-sandbox"]

50
build/Dockerfile.ubuntu-build-with-tracer
View File

@ -1,50 +0,0 @@
ARG REGISTRY=docker.io
ARG BASE_IMAGE=library/ubuntu:20.04
ARG ONLYOFFICE_IMAGE=onlyoffice/documentserver:7.5
FROM ${REGISTRY}/${BASE_IMAGE} as base
FROM base as runtime-slim-base
RUN apt update && apt install libseccomp2 -y && rm -rf /var/apt
FROM ${REGISTRY}/${ONLYOFFICE_IMAGE} as runtime-base
RUN apt update && apt install libseccomp2 -y && rm -rf /var/apt
FROM base as builder-base
RUN ln -svf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && apt update && apt install build-essential libseccomp-dev curl pkg-config -y
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s - -y
COPY Cargo.toml Cargo.lock build.rs /src/
COPY src /src/src
COPY x2t-sandbox-rulegen /src/x2t-sandbox-rulegen
WORKDIR /src
FROM builder-base as tracer-builder
RUN /root/.cargo/bin/cargo build --release --features tracing-mode
FROM runtime-slim-base as runtime-tracer
COPY --from=tracer-builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
ENTRYPOINT ["/usr/local/bin/x2t-sandbox"]
FROM runtime-base as tracer-generate-syscalls
COPY data /data
COPY --from=tracer-builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
RUN bash -c 'set -euo pipefail; for filename in $(ls /data/ | grep "\.xml$"); do /usr/local/bin/x2t-sandbox -l $filename.out /var/www/onlyoffice/documentserver/server/FileConverter/bin/x2t /data/$filename; done'
RUN cat *.out | sort | uniq > x2t-syscalls.txt
FROM builder-base as sandbox-builder
COPY --from=tracer-generate-syscalls /x2t-syscalls.txt /src/x2t-syscalls.txt
RUN /root/.cargo/bin/cargo build --release --features tracing-mode
FROM runtime-base as onlyoffice-output
COPY --from=sandbox-builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
FROM base as copy-tracer-to-data
COPY --from=tracer-builder /src/target/release/x2t-sandbox /x2t-sandbox
CMD ["cp", "-v", "x2t-sandbox", "/data/x2t-sandbox"]
FROM base as copy-to-data
COPY --from=sandbox-builder /src/target/release/x2t-sandbox /x2t-sandbox
CMD ["cp", "-v", "x2t-sandbox", "/data/x2t-sandbox"]

25
build/Dockerfile.ubuntu-env-override
View File

@ -1,25 +0,0 @@
ARG REGISTRY=docker.io
ARG BASE=library/ubuntu:20.04
FROM ${REGISTRY}/${BASE} as base
FROM base as builder
RUN ln -svf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && apt update && apt install build-essential libseccomp-dev curl pkg-config -y
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s - -y
COPY Cargo.toml Cargo.lock build.rs /src/
COPY src /src/src
COPY x2t-sandbox-rulegen /src/x2t-sandbox-rulegen
WORKDIR /src
ARG X2T_SYSCALLS
ENV X2T_SYSCALLS=${X2T_SYSCALLS}
RUN test ! -z "${X2T_SYSCALLS}" || { echo please set X2T_SYSCALLS with --build-arg X2T_SYSCALLS="open:close:read:write:..."; exit 1; }
RUN /root/.cargo/bin/cargo build --release
FROM base as runtime
RUN apt update && apt install libseccomp2 -y && rm -rf /var/apt
COPY --from=builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
FROM base as copy-to-data
COPY --from=builder /src/target/release/x2t-sandbox /x2t-sandbox
CMD ["cp", "-v", "x2t-sandbox", "/data/x2t-sandbox"]

11
build/x2t-snadbox-rulegen-ubuntu.dockerfile Normal file
View File

@ -0,0 +1,11 @@
ARG BASE_IMAGE=nexus.jianguoyun.net.cn/infra/documentserver:7.3.3-2
FROM ${BASE_IMAGE}
RUN ln -svf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
apt-get update && \
apt-get install -y build-essential libseccomp-dev curl pkg-config libseccomp2 && \
rm -rf /var/lib/apt/lists/*
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s - -y
ENTRYPOINT []

9
build/x2t-snadbox-ubuntu.dockerfile Normal file
View File

@ -0,0 +1,9 @@
ARG BASE_IMAGE=ubuntu:22.04
FROM ${BASE_IMAGE}
RUN ln -svf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
apt-get update && \
apt-get install -y build-essential libseccomp-dev curl pkg-config libseccomp2 && \
rm -rf /var/lib/apt/lists/*
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s - -y

3
data/Doc.xml
View File

@ -1,7 +1,6 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<TaskQueueDataConvert> <TaskQueueDataConvert>
<m_sFileFrom> <m_sFileFrom>/data/Doc.docx</m_sFileFrom>
/data/Doc.docx</m_sFileFrom>
<m_sFileTo>/data/Doc.bin</m_sFileTo> <m_sFileTo>/data/Doc.bin</m_sFileTo>
<m_nFormatTo>8192</m_nFormatTo> <m_nFormatTo>8192</m_nFormatTo>
<m_sThemeDir>./themes</m_sThemeDir> <m_sThemeDir>./themes</m_sThemeDir>

18
generate-sandbox-rule.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
set -euox pipefail
if [ $# -ne 3 ]; then
echo "Usage: $0 <x2t abs path> <x2t-sandbox abs path> <xml data abs path>"
exit 1
fi
X2T=$1
X2T_SANDBOX=$2
DATA=$3
for filename in $(ls ${DATA} | grep "\.xml$"); do
${X2T_SANDBOX} -l ${filename}.out ${X2T} ${DATA}/${filename}
done
cat ./*.out | sort | uniq > x2t-syscalls.txt