Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Isolating the algorithm that the Agent runs from the rest of the kernel #100

Open
SammyOina opened this issue Apr 4, 2024 · 9 comments
Open

Feature: Isolating the algorithm that the Agent runs from the rest of the kernel #100

SammyOina opened this issue Apr 4, 2024 · 9 comments
Assignees
@danko-miladinovic

Comments

@SammyOina
Copy link
Contributor

Is your feature request related to a problem? Please describe.

No

Describe the feature you are requesting, as well as the possible use case(s) for it.

Isolating the algorithm that the Agent runs from the rest of the kernel

Indicate the importance of this feature to you.

Must-have

Anything else?

No response
@dborovcanin
Copy link
Contributor

@danko-miladinovic Please open a drat PR for this one.

@drasko
Copy link
Contributor

drasko commented Apr 17, 2024

As an inspiration, we can take a look at VerneMQ docker start script, and see how we can set the user with the correct UID and permissions.

This can probably be done even with Buildroot, during the rootfs building phase (or maybe with post-build hook).

@danko-miladinovic
Copy link
Contributor

danko-miladinovic commented Apr 22, 2024
edited
Loading

In order to isolate the algorithm, we have several options:

  1. Create a new user without sudo privileges and make the Agent run the algorithm as that user. This way the application will not be able to access the log files and it will not be able to kill the Agent (for example, for the purpose off replacing the Agent).
  2. Linux Namespaces or similar tools that use Linux Namespaces. This way we can create sandbox environments to execute the algorithm. Some of the tools that use Linux Namespaces for isolation are:
  1. Use Wasm. This option is interesting because it isolates the runtime environment and also gives users options to use different programing languages for their applications. The problem here is that we cannot have files.
  2. AppArmor or similar modules - Linux security module used to confine individual programs to a set of rules. This can be used in combination with the first method.

If I understood the VerneMQ docker Dockfile and start script, VerneMQ creates a new user and runs the init script as that new user. The user does not have sudo privileges.

@danko-miladinovic danko-miladinovic mentioned this issue Apr 29, 2024
Closed
@drasko
Copy link
Contributor

drasko commented Apr 29, 2024

Probably try with namespaces initially, but I would like Docker and Wasm to be explored as well.

@dborovcanin
Copy link
Contributor

What's the status here? @danko-miladinovic

@danko-miladinovic
Copy link
Contributor

What's the status here? @danko-miladinovic

There is a problem with pivot_root operation. This operation is needed to create an isolated Linux namespace process. This was intended to be used with static executables.

This is an alternative to docker, but if we move to docker this is not needed.

@dborovcanin
Copy link
Contributor

Let's put this on hold until we decide what to use to run computation (executable, docker or something else).

@drasko
Copy link
Contributor

drasko commented Jun 14, 2024

We agreed to enable first Python with requirements.txt, and then after that Docker container.

@drasko
Copy link
Contributor

drasko commented Aug 14, 2024

This is probably duplicate of Wasm and Docker ones, right? If yes - please close it with the reference.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danko-miladinovic danko-miladinovic

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@drasko @dborovcanin @SammyOina @danko-miladinovic