mirrors/overleaf-toolkit
1
0
Fork 0
mirror of https://github.com/overleaf/toolkit.git synced 2025-04-19 07:18:06 +02:00
Code Activity

Loud warning for SIBLING_CONTAINERS_ENABLED=false

Browse source
This commit is contained in:
Jakob Ackermann 2024-08-28 13:17:45 +01:00
parent b7af392f9a
commit 293c8366ba
No known key found for this signature in database
GPG key ID: 30C56800FCA3828A
4 changed files with 30 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
CHANGELOG.md
View file

@ -1,5 +1,10 @@
# Changelog
## 2024-08-27
### Added
- Add loud warning to `bin/doctor` when not using Sandboxed Compiles/`SIBLING_CONTAINERS_ENABLED=true`
- Refuse to start Community Edition with `SIBLING_CONTAINERS_ENABLED=true`
## 2024-08-27
### Added
- Surface `MONGO_VERSION` from `bin/doctor`

11
bin/docker-compose
View file

@ -28,8 +28,17 @@ function build_environment() {
if [[ $MONGO_ENABLED == "true" ]]; then
set_mongo_vars
fi
if [[ $SERVER_PRO == "true" && "$SIBLING_CONTAINERS_ENABLED" == "true" ]]; then
if [[ "$SIBLING_CONTAINERS_ENABLED" == "true" ]]; then
if [[ $SERVER_PRO == "true" ]]; then
set_sibling_containers_vars
else
echo "ERROR: SIBLING_CONTAINERS_ENABLED=true is not supported in Overleaf Community Edition." >&2
echo " Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required." >&2
echo " When not using Sibling containers, users have full read and write access to the 'sharelatex' container resources (filesystem, network, environment variables) when running LaTeX compiles." >&2
echo " Sibling containers are offered as part of our Server Pro offering and you can read more about the differences at https://www.overleaf.com/for/enterprises/features." >&2
echo " Set SIBLING_CONTAINERS_ENABLED=false in config/overleaf.rc to continue using insecure in-container compiles." >&2
exit 1
fi
fi
if [[ $NGINX_ENABLED == "true" ]]; then
set_nginx_vars

7
bin/doctor
View file

@ -212,6 +212,10 @@ function check_config_files() {
fi
print_point 2 "SERVER_PRO: $SERVER_PRO"
print_point 2 "SIBLING_CONTAINERS_ENABLED: $SIBLING_CONTAINERS_ENABLED"
if [[ "${SIBLING_CONTAINERS_ENABLED:-null}" != "true" ]]; then
add_warning "Detected SIBLING_CONTAINERS_ENABLED=false. When not using Sibling containers, users have full read and write access to the 'sharelatex' container resources (filesystem, network, environment variables) when running LaTeX compiles. Only use this mode in environments where all users are trusted and no isolation of users is required."
fi
if [[ "${SERVER_PRO:-null}" == "true" ]]; then
local logged_in
logged_in="$(grep -q quay.io ~/.docker/config.json && echo 'true' || echo 'false')"
@ -226,7 +230,8 @@ function check_config_files() {
)
add_warning "${warning_message[@]}"
fi
print_point 2 "SIBLING_CONTAINERS_ENABLED: $SIBLING_CONTAINERS_ENABLED"
elif [[ "${SIBLING_CONTAINERS_ENABLED:-null}" == "true" ]]; then
add_warning "Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required. Sibling containers are offered as part of our Server Pro offering and you can read more about the differences at https://www.overleaf.com/for/enterprises/features. Set SIBLING_CONTAINERS_ENABLED=false in config/overleaf.rc to continue using insecure in-container compiles."
fi
if [[ "${OVERLEAF_LISTEN_IP:-null}" != "null" ]]; then
print_point 2 "OVERLEAF_LISTEN_IP: ${OVERLEAF_LISTEN_IP}"

6
doc/sandboxed-compiles.md
View file

@ -2,6 +2,12 @@
In Server Pro, it is possible to have each LaTeX project be compiled in a separate docker container, achieving sandbox isolation between projects.
This feature is also known as "Sibling containers" as LaTeX compiles are running in a sibling container next to the Server Pro docker container.
When not using Sandboxed Compiles, users have full read and write access to the `sharelatex` container resources (filesystem, network, environment variables) when running LaTeX compiles.
Note: Sibling containers are not available in Community Edition, which is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required.
## How It Works
When sandboxed compiles are enabled, the toolkit will mount the docker socket from the host into the overleaf container, so that the compiler service in the container can create new docker containers on the host. Then for each run of the compiler in each project, the LaTeX compiler service (CLSI) will do the following: