mirror of
https://github.com/compiler-explorer/compiler-explorer.git
synced 2025-12-27 10:33:59 -05:00
283 lines
4.8 KiB
INI
283 lines
4.8 KiB
INI
name: "compiler explorer compilation/tool sandbox"
|
|
|
|
mode: ONCE
|
|
hostname: "ce"
|
|
|
|
time_limit: 0
|
|
|
|
log_level: FATAL
|
|
|
|
rlimit_as_type: INF
|
|
rlimit_cpu_type: SOFT
|
|
rlimit_fsize: 1024 # 1GB
|
|
rlimit_nofile: 300 # 300 because .NET loves to open many files
|
|
|
|
uidmap {
|
|
inside_id: "10240"
|
|
}
|
|
|
|
gidmap {
|
|
inside_id: "10240"
|
|
}
|
|
|
|
detect_cgroupv2: true
|
|
|
|
# for cgroups v1:
|
|
# must run following as root during system startup
|
|
# cgcreate -a $USER:$USER -g memory,pids,cpu,net_cls:ce-compile
|
|
cgroup_mem_parent: "ce-compile"
|
|
cgroup_pids_parent: "ce-compile"
|
|
cgroup_net_cls_parent: "ce-compile"
|
|
cgroup_cpu_parent: "ce-compile"
|
|
|
|
cgroup_mem_max: 1342177280 # 1.25 GiB
|
|
cgroup_pids_max: 72
|
|
cgroup_cpu_ms_per_sec: 1000
|
|
|
|
# for cgroups v2:
|
|
# must run following as root during system startup
|
|
# cgcreate -a $USER:$USER -g memory,pids,cpu:ce-compile
|
|
# sudo chown $USER:root /sys/fs/cgroup/cgroup.procs
|
|
cgroupv2_mount: "/sys/fs/cgroup/ce-compile"
|
|
|
|
mount {
|
|
src: "/bin"
|
|
dst: "/bin"
|
|
is_bind: true
|
|
}
|
|
|
|
mount {
|
|
src: "/lib"
|
|
dst: "/lib"
|
|
is_bind: true
|
|
}
|
|
|
|
mount {
|
|
src: "/usr"
|
|
dst: "/usr"
|
|
is_bind: true
|
|
}
|
|
|
|
mount {
|
|
src: "/etc/alternatives"
|
|
dst: "/etc/alternatives"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
mount {
|
|
src: "/etc/localtime"
|
|
dst: "/etc/localtime"
|
|
is_bind: true
|
|
}
|
|
mount {
|
|
src_content: "nobody:x:65534:65534:Not root:/root:/none\nce:x:10240:10240:Not a real account:/app:/bin/bash"
|
|
dst: "/etc/passwd"
|
|
is_bind: true
|
|
}
|
|
mount {
|
|
src_content: "nogroup:x:65534:\n\nce:x:10240:"
|
|
dst: "/etc/group"
|
|
is_bind: true
|
|
}
|
|
mount {
|
|
# this password hash is here intentionally, and is not actually used for anything
|
|
src_content: "ce:$1$rockyou$hty8SH9lK4mcCQXKENxaa1:18723:0:99999:7:::"
|
|
dst: "/etc/shadow"
|
|
is_bind: true
|
|
}
|
|
# Mounting ld.so.conf* is needed to get the magic that lets pthread be found by libc.
|
|
# See https://github.com/compiler-explorer/compiler-explorer/issues/2611
|
|
mount {
|
|
src: "/etc/ld.so.conf.d"
|
|
dst: "/etc/ld.so.conf.d"
|
|
is_bind: true
|
|
}
|
|
mount {
|
|
src: "/etc/ld.so.conf"
|
|
dst: "/etc/ld.so.conf"
|
|
is_bind: true
|
|
}
|
|
|
|
mount {
|
|
src: "/lib64"
|
|
dst: "/lib64"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
mount {
|
|
src: "/lib32"
|
|
dst: "/lib32"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
mount {
|
|
dst: "/tmp"
|
|
fstype: "tmpfs"
|
|
options: "size=536870912,nr_inodes=1000" # 512MiB; nvc++ is particularly disk-intensive
|
|
rw: true
|
|
noexec: true
|
|
nodev: true
|
|
nosuid: true
|
|
}
|
|
|
|
mount {
|
|
src: "/dev/null"
|
|
dst: "/dev/null"
|
|
rw: true
|
|
is_bind: true
|
|
}
|
|
|
|
mount {
|
|
src: "/dev/zero"
|
|
dst: "/dev/zero"
|
|
is_bind: true
|
|
}
|
|
|
|
mount {
|
|
src: "/dev/urandom"
|
|
dst: "/dev/random"
|
|
is_bind: true
|
|
}
|
|
|
|
mount {
|
|
src: "/dev/urandom"
|
|
dst: "/dev/urandom"
|
|
is_bind: true
|
|
}
|
|
|
|
###
|
|
# Support for stdbuf
|
|
mount {
|
|
src: "/usr/bin/stdbuf"
|
|
dst: "/usr/bin/stdbuf"
|
|
is_bind: true
|
|
}
|
|
mount {
|
|
src: "/usr/libexec/coreutils/libstdbuf.so"
|
|
dst: "/usr/libexec/coreutils/libstdbuf.so"
|
|
is_bind: true
|
|
}
|
|
###
|
|
|
|
###
|
|
# NVidia support
|
|
mount {
|
|
src: "/dev/nvidia0"
|
|
dst: "/dev/nvidia0"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
mount {
|
|
src: "/dev/nvidiactl"
|
|
dst: "/dev/nvidiactl"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
mount {
|
|
src: "/dev/nvidia-modeset"
|
|
dst: "/dev/nvidia-modeset"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
mount {
|
|
src: "/dev/nvidia-uvm"
|
|
dst: "/dev/nvidia-uvm"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
mount {
|
|
src: "/dev/nvidia-uvm-tools"
|
|
dst: "/dev/nvidia-uvm-tools"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
mount {
|
|
src: "/sys/module/nvidia"
|
|
dst: "/sys/module/nvidia"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
mount {
|
|
src: "/sys/module/nvidia_uvm"
|
|
dst: "/sys/module/nvidia_uvm"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
# End NVidia support
|
|
###
|
|
|
|
mount {
|
|
dst: "/proc"
|
|
fstype: "proc"
|
|
rw: true # Needed for NVidia driver
|
|
}
|
|
|
|
mount {
|
|
src: "/sys/devices/system/cpu"
|
|
dst: "/sys/devices/system/cpu"
|
|
is_bind: true
|
|
}
|
|
|
|
mount {
|
|
src: "/opt/compiler-explorer"
|
|
dst: "/opt/compiler-explorer"
|
|
is_bind: true
|
|
}
|
|
|
|
mount {
|
|
src: "/cefs"
|
|
dst: "/cefs"
|
|
is_bind: true
|
|
# needed for cefs to see new mounts.
|
|
# needs ce's patched nsjail to work
|
|
# http://github.com/compiler-explorer/nsjail
|
|
needs_mount_propagation: true
|
|
}
|
|
|
|
# Needed for icc
|
|
mount {
|
|
src: "/opt/intel"
|
|
dst: "/opt/intel"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
# Needed for ARM non-free compilers
|
|
mount {
|
|
src: "/opt/arm"
|
|
dst: "/opt/arm"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
# Needed for QNX non-free compilers
|
|
mount {
|
|
src: "/opt/qnx"
|
|
dst: "/opt/qnx"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
# Needed for things with shim scripts e.g. Python
|
|
mount {
|
|
src: "/infra/.deploy/etc/scripts"
|
|
dst: "/infra/.deploy/etc/scripts"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|
|
|
|
mount {
|
|
src: "/infra/.deploy/examples"
|
|
dst: "/infra/.deploy/examples"
|
|
is_bind: true
|
|
mandatory: false
|
|
}
|