overleaf-toolkit/doc/sandboxed-compiles.md

# Sandboxed Compiles

In Server Pro, it is possible to have each LaTeX project be compiled in a separate docker container, achieving sandbox isolation between projects.

This feature is also known as "Sibling containers" as LaTeX compiles are running in a sibling container next to the Server Pro docker container.

When not using Sandboxed Compiles, users have full read and write access to the `sharelatex` container resources (filesystem, network, environment variables) when running LaTeX compiles.

Note: Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required.

## How It Works

When sandboxed compiles are enabled, the toolkit will mount the docker socket from the host into the overleaf container, so that the compiler service in the container can create new docker containers on the host. Then for each run of the compiler in each project, the LaTeX compiler service (CLSI) will do the following:

- Write out the project files to a location inside the `OVERLEAF_DATA_PATH`, 
- Use the mounted docker socket to create a new `texlive` container for the compile run
- Have the `texlive` container read the project data from the location under `OVERLEAF_DATA_PATH`
- Compile the project inside the `texlive` container


## Enabling Sibling Containers

In `config/overleaf.rc`, set `SIBLING_CONTAINERS_ENABLED=true`, and ensure that the `DOCKER_SOCKET_PATH` setting is set to the location of the docker socket on the host.

The next time you start the docker services (with `bin/up`), the requested TeX Live image (`ALL_TEX_LIVE_DOCKER_IMAGES`) will get downloaded. This process can take several minutes. Once the images have been downloaded, the Server Pro container will get started with the latest configuration changes applied (such as enabling the Sandboxed Compiles feature or adding new TeX Live images).

You can skip the download of images using `SIBLING_CONTAINERS_PULL=false` in `config/overleaf.rc`.

Note: We do not support running sandboxed compiles with Docker as installed via `snap`. Please follow the steps for installing Docker CE on https://docs.docker.com/engine/install/.
Public release of the Overleaf Toolkit 2020-06-02 14:20:23 +01:00			`# Sandboxed Compiles`

Loud warning for SIBLING_CONTAINERS_ENABLED=false 2024-08-28 13:17:45 +01:00			`In Server Pro, it is possible to have each LaTeX project be compiled in a separate docker container, achieving sandbox isolation between projects.`

			`This feature is also known as "Sibling containers" as LaTeX compiles are running in a sibling container next to the Server Pro docker container.`

			When not using Sandboxed Compiles, users have full read and write access to the `sharelatex` container resources (filesystem, network, environment variables) when running LaTeX compiles.

			`Note: Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required.`
Public release of the Overleaf Toolkit 2020-06-02 14:20:23 +01:00
			`## How It Works`

			`When sandboxed compiles are enabled, the toolkit will mount the docker socket from the host into the overleaf container, so that the compiler service in the container can create new docker containers on the host. Then for each run of the compiler in each project, the LaTeX compiler service (CLSI) will do the following:`

Scripts to update config/overleaf.rc and config-seed rebrand (#217) * Add scripts to rebrand variables.env and overleaf.rc * Update bin/upgrade to prompt for config file rebrand * Update bin/up to check for correct variable prefix Ensures SHARELATEX_ is in place for version <= 4.x, and OVERLEAF_ for version >= 5.x * Rebrand variables for bin/docker-compose Updates docker-compose.base.yml and sibling containers base file with the changes in the script * Update bin/doctor to support OVERLEAF_ prefix * Update documentation with the OVERLEAF_ prefix * Rebrand variables.env and overleaf.rc in config-seed * Prepare config/version and CHANGELOG for release (WIP) * Fix script documentation Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Fix doctor logs Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Remove unnecessary fallbacks to SHARELATEX_ vars * SEt OVERLEAF_DATA_PATH to data/overleaf * Remove duplicated environment entries * Moved prefix brand checs from bin/up to bin/docker-compose * Move set +o pipefail into subshell commands * Use separate legacy compose files for required SHARELATEX_ vars * Handle overleaf.rc rebranding before version upgrade * Group output from rebranding process * Move prompt for rebranding into helper function * Refuse to start with mismatching ShareLaTeX vs Overleaf branded configs * Print expected prefix when checking variables.env * Print number of mismatching variables in overleaf.rc * Check on variable rebranding from bin/doctor * Cleanup bin/doctor lookup for ShareLaTeX branded overleaf.rc * Update filesystem paths in bin/logs and docs * Flag old TEXMFVAR entry in config/variables.env REF: 1829e7ee2aa2c523a44cb1ea1f9639fcbd53caa1 * Update config-seed version to 5.0.1 and changelog --------- Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> 2024-04-02 16:43:08 +02:00			- Write out the project files to a location inside the `OVERLEAF_DATA_PATH`,
Public release of the Overleaf Toolkit 2020-06-02 14:20:23 +01:00			- Use the mounted docker socket to create a new `texlive` container for the compile run
Scripts to update config/overleaf.rc and config-seed rebrand (#217) * Add scripts to rebrand variables.env and overleaf.rc * Update bin/upgrade to prompt for config file rebrand * Update bin/up to check for correct variable prefix Ensures SHARELATEX_ is in place for version <= 4.x, and OVERLEAF_ for version >= 5.x * Rebrand variables for bin/docker-compose Updates docker-compose.base.yml and sibling containers base file with the changes in the script * Update bin/doctor to support OVERLEAF_ prefix * Update documentation with the OVERLEAF_ prefix * Rebrand variables.env and overleaf.rc in config-seed * Prepare config/version and CHANGELOG for release (WIP) * Fix script documentation Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Fix doctor logs Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> * Remove unnecessary fallbacks to SHARELATEX_ vars * SEt OVERLEAF_DATA_PATH to data/overleaf * Remove duplicated environment entries * Moved prefix brand checs from bin/up to bin/docker-compose * Move set +o pipefail into subshell commands * Use separate legacy compose files for required SHARELATEX_ vars * Handle overleaf.rc rebranding before version upgrade * Group output from rebranding process * Move prompt for rebranding into helper function * Refuse to start with mismatching ShareLaTeX vs Overleaf branded configs * Print expected prefix when checking variables.env * Print number of mismatching variables in overleaf.rc * Check on variable rebranding from bin/doctor * Cleanup bin/doctor lookup for ShareLaTeX branded overleaf.rc * Update filesystem paths in bin/logs and docs * Flag old TEXMFVAR entry in config/variables.env REF: 1829e7ee2aa2c523a44cb1ea1f9639fcbd53caa1 * Update config-seed version to 5.0.1 and changelog --------- Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> 2024-04-02 16:43:08 +02:00			- Have the `texlive` container read the project data from the location under `OVERLEAF_DATA_PATH`
Public release of the Overleaf Toolkit 2020-06-02 14:20:23 +01:00			- Compile the project inside the `texlive` container


			`## Enabling Sibling Containers`

			In `config/overleaf.rc`, set `SIBLING_CONTAINERS_ENABLED=true`, and ensure that the `DOCKER_SOCKET_PATH` setting is set to the location of the docker socket on the host.

bin/up: pull TeX Live images before starting up 2024-05-27 15:32:53 +01:00			The next time you start the docker services (with `bin/up`), the requested TeX Live image (`ALL_TEX_LIVE_DOCKER_IMAGES`) will get downloaded. This process can take several minutes. Once the images have been downloaded, the Server Pro container will get started with the latest configuration changes applied (such as enabling the Sandboxed Compiles feature or adding new TeX Live images).

			You can skip the download of images using `SIBLING_CONTAINERS_PULL=false` in `config/overleaf.rc`.
bin/doctor: warn about using docker installed via snap 2024-05-08 16:30:05 +01:00
			Note: We do not support running sandboxed compiles with Docker as installed via `snap`. Please follow the steps for installing Docker CE on https://docs.docker.com/engine/install/.