Swap out playpen for docker

alexcrichton · alexcrichton · commit 4d9f710ea770 · 2016-06-21T11:01:49.000-07:00
diff --git a/.travis.yml b/.travis.yml
@@ -1,8 +1,19 @@
 language: rust
-rust:
-  - nightly
+sudo: required
+dist: trusty
+rust: stable
+services:
+  - docker
+
 install:
   - npm install jshint
+  - pip install pygments
 script:
   - find static/ -iname "*.js" | xargs jshint
   - cargo build
+  - sh docker/build.sh
+  - cargo test
+
+notifications:
+  email:
+    on_success: never
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,6 +16,7 @@ staticfile = "0.2.0"
 toml = "0.1.30"
 unicase = "1.4.0"
 url = "1.1.1"
+wait-timeout = "0.1"
 
 [dependencies.irc]
 default-features = false
diff --git a/docker/Dockerfile-beta b/docker/Dockerfile-beta
@@ -0,0 +1,11 @@
+FROM ubuntu:16.04
+
+RUN apt-get update
+RUN apt-get install -y --no-install-recommends \
+      gcc libc6-dev curl file ca-certificates
+COPY bin/compile.sh bin/evaluate.sh /usr/local/bin/
+COPY install.sh /tmp
+RUN sh /tmp/install.sh beta
+USER nobody
+
+WORKDIR /tmp
diff --git a/docker/Dockerfile-nightly b/docker/Dockerfile-nightly
@@ -0,0 +1,11 @@
+FROM ubuntu:16.04
+
+RUN apt-get update
+RUN apt-get install -y --no-install-recommends \
+      gcc libc6-dev curl file ca-certificates
+COPY bin/compile.sh bin/evaluate.sh /usr/local/bin/
+COPY install.sh /tmp
+RUN sh /tmp/install.sh nightly
+USER nobody
+
+WORKDIR /tmp
diff --git a/docker/Dockerfile-stable b/docker/Dockerfile-stable
@@ -0,0 +1,11 @@
+FROM ubuntu:16.04
+
+RUN apt-get update
+RUN apt-get install -y --no-install-recommends \
+      gcc libc6-dev curl file ca-certificates
+COPY bin/compile.sh bin/evaluate.sh /usr/local/bin/
+COPY install.sh /tmp
+RUN sh /tmp/install.sh stable
+USER nobody
+
+WORKDIR /tmp
diff --git a/docker/bin/compile.sh b/docker/bin/compile.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/dash
+#!/bin/dash
 
 set -o errexit
 
diff --git a/docker/bin/evaluate.sh b/docker/bin/evaluate.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/dash
+#!/bin/dash
 
 set -o errexit
 
diff --git a/docker/build.sh b/docker/build.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+for channel in stable beta nightly; do
+    docker build \
+        --no-cache \
+        --force-rm \
+        --pull \
+        --rm \
+        --tag rust-playpen-$channel \
+        --file docker/Dockerfile-$channel \
+        docker
+done
diff --git a/docker/install.sh b/docker/install.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+curl https://static.rust-lang.org/rustup.sh | \
+  sh -s -- --disable-sudo --channel=$1 -y
+cargo install --debug rustfmt --root /usr/local
diff --git a/src/bin/playbot.rs b/src/bin/playbot.rs
@@ -1,26 +1,24 @@
-extern crate rust_playpen;
-
 #[macro_use] extern crate log;
 extern crate env_logger;
+extern crate hyper;
 extern crate irc;
+extern crate rust_playpen;
+extern crate rustc_serialize;
 extern crate toml;
-extern crate hyper;
 extern crate url;
-extern crate rustc_serialize;
-
-use rust_playpen::ReleaseChannel;
-
-use irc::client::prelude::*;
-use url::form_urlencoded;
-use hyper::client::Client;
-use rustc_serialize::json;
 
 use std::fs::{self, File};
 use std::io::{self, Read};
 use std::str;
 use std::u16;
 use std::thread;
 
+use hyper::client::Client;
+use irc::client::prelude::*;
+use rust_playpen::ReleaseChannel;
+use rustc_serialize::json;
+use url::form_urlencoded;
+
 static DEFAULT_CHANNEL: ReleaseChannel = ReleaseChannel::Stable;
 
 fn get_rust_versions() -> Vec<String> {
diff --git a/src/bin/playpen.rs b/src/bin/playpen.rs
@@ -1,13 +1,12 @@
-extern crate rust_playpen;
-
 #[macro_use] extern crate iron;
 #[macro_use] extern crate log;
 extern crate env_logger;
 extern crate hyper;
-extern crate staticfile;
 extern crate router;
-extern crate unicase;
+extern crate rust_playpen;
 extern crate rustc_serialize;
+extern crate staticfile;
+extern crate unicase;
 
 use rust_playpen::*;
 
@@ -100,8 +99,10 @@ fn evaluate(req: &mut Request) -> IronResult<Response> {
         args.push(String::from("--test"));
     }
 
-    let (_status, output) = itry!(
-        rust_playpen::exec(version, "/usr/local/bin/evaluate.sh", args, data.code));
+    let (_status, output) = itry!(rust_playpen::exec(version,
+                                                     "/usr/local/bin/evaluate.sh",
+                                                     args,
+                                                     data.code));
 
     let mut obj = json::Object::new();
     if separate_output {
@@ -200,7 +201,7 @@ fn format(req: &mut Request) -> IronResult<Response> {
     let version = itry!(data.version.map(|v| v.parse()).unwrap_or(Ok(ReleaseChannel::Stable)));
 
     let (status, output) = itry!(
-        rust_playpen::exec(version, "/usr/bin/rustfmt", Vec::new(), data.code));
+        rust_playpen::exec(version, "rustfmt", Vec::new(), data.code));
     let output = String::from_utf8(output).unwrap();
     let mut response_obj = json::Object::new();
     if status.success() {
@@ -244,7 +245,7 @@ fn main() {
     let mut chain = Chain::new(router);
     chain.link_after(EnablePostCors);
 
-    let addr = ("0.0.0.0", 80);
-    info!("listening on {:?}", addr);
+    let addr = ("127.0.0.1", 8080);
+    println!("listening on {:?}", addr);
     Iron::new(chain).http(addr).unwrap();
 }
diff --git a/src/docker.rs b/src/docker.rs
@@ -0,0 +1,112 @@
+use std::io;
+use std::io::prelude::*;
+use std::mem;
+use std::process::{Output, Command, Stdio, ExitStatus};
+use std::sync::{Arc, Mutex};
+use std::thread;
+use std::time::Duration;
+
+use wait_timeout::ChildExt;
+
+pub struct Container {
+    id: String,
+}
+
+impl Container {
+    pub fn new(cmd: &str,
+               args: &[String],
+               name: &str) -> io::Result<Container> {
+        let out = try!(run(Command::new("docker")
+                                   .arg("create")
+                                   .arg("--cap-drop=ALL")
+                                   .arg("--memory=128m")
+                                   .arg("--net=none")
+                                   .arg("--pids-limit=5")
+                                   .arg("--security-opt=no-new-privileges")
+                                   .arg("--interactive")
+                                   .arg(name)
+                                   .arg(cmd)
+                                   .stderr(Stdio::inherit())
+                                   .args(args)));
+        let stdout = String::from_utf8_lossy(&out.stdout);
+        Ok(Container {
+            id: stdout.trim().to_string(),
+        })
+    }
+
+    pub fn run(&self,
+               input: &[u8],
+               timeout: Duration)
+               -> io::Result<(ExitStatus, Vec<u8>, bool)> {
+        let mut cmd = Command::new("docker");
+        cmd.arg("start")
+           .arg("--attach")
+           .arg("--interactive")
+           .arg(&self.id)
+           .stdin(Stdio::piped())
+           .stdout(Stdio::piped())
+           .stderr(Stdio::piped());
+        debug!("attaching with {:?}", cmd);
+        let mut cmd = try!(cmd.spawn());
+        try!(cmd.stdin.take().unwrap().write_all(input));
+        debug!("input written, now waiting");
+
+        let mut stdout = cmd.stdout.take().unwrap();
+        let mut stderr = cmd.stderr.take().unwrap();
+        let sink = Arc::new(Mutex::new(Vec::new()));
+        let sink2 = sink.clone();
+        let stdout = thread::spawn(move || append(&sink2, &mut stdout));
+        let sink2 = sink.clone();
+        let stderr = thread::spawn(move || append(&sink2, &mut stderr));
+
+        let (status, timeout) = match try!(cmd.wait_timeout(timeout)) {
+            Some(status) => {
+                debug!("finished before timeout");
+                // TODO: document this
+                (unsafe { mem::transmute(status) }, false)
+            }
+            None => {
+                debug!("timeout, going to kill");
+                try!(run(Command::new("docker").arg("kill").arg(&self.id)));
+                (try!(cmd.wait()), true)
+            }
+        };
+        stdout.join().unwrap();
+        stderr.join().unwrap();
+        let mut lock = sink.lock().unwrap();
+        let output = mem::replace(&mut *lock, Vec::new());
+        debug!("status: {}", status);
+        debug!("output: {}", String::from_utf8_lossy(&output));
+        Ok((status, output, timeout))
+    }
+}
+
+fn append(into: &Mutex<Vec<u8>>, from: &mut Read) {
+    let mut buf = [0; 1024];
+    while let Ok(amt) = from.read(&mut buf) {
+        if amt == 0 {
+            break
+        }
+        into.lock().unwrap().extend_from_slice(&buf[..amt]);
+    }
+}
+
+impl Drop for Container {
+    fn drop(&mut self) {
+        run(Command::new("docker")
+                    .arg("rm")
+                    .arg("--force")
+                    .arg(&self.id)).unwrap();
+    }
+}
+
+fn run(cmd: &mut Command) -> io::Result<Output> {
+    debug!("spawning: {:?}", cmd);
+    let out = try!(cmd.output());
+    debug!("output: {:?}", out);
+    if !out.status.success() {
+        let msg = format!("process failed: {:?}\n{:?}", cmd, out);
+        return Err(io::Error::new(io::ErrorKind::Other, msg))
+    }
+    Ok(out)
+}
diff --git a/src/lib.rs b/src/lib.rs
diff --git a/static/web.html b/static/web.html

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-#!/usr/bin/dash`
	`1`	`+#!/bin/dash`
`2`	`2`
`3`	`3`	`set -o errexit`
`4`	`4`