Skip to content

Commit dbafa25

Browse files
djeebusgithub-actions[bot]claude
authored
use chroot/umount/pivotroot instead of jailing (#2091)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>
1 parent 6b2b89d commit dbafa25

109 files changed

Lines changed: 4023 additions & 1907 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.mockery.yaml

Lines changed: 0 additions & 63 deletions
Original file line numberDiff line numberDiff line change
@@ -59,43 +59,6 @@ packages:
5959
filename: mockstorageprovider.go
6060
pkgname: providermocks
6161

62-
github.com/e2b-dev/infra/packages/orchestrator/internal/sandbox/build:
63-
interfaces:
64-
Diff:
65-
config:
66-
dir: packages/orchestrator/internal/sandbox/build/mocks
67-
filename: mockdiff.go
68-
pkgname: buildmocks
69-
70-
github.com/e2b-dev/infra/packages/orchestrator/internal/sandbox/block:
71-
interfaces:
72-
ReadonlyDevice:
73-
config:
74-
dir: packages/orchestrator/internal/sandbox/block/mocks
75-
filename: mockreadonlydevice.go
76-
pkgname: blockmocks
77-
78-
github.com/e2b-dev/infra/packages/orchestrator/internal/sandbox/template/peerserver:
79-
interfaces:
80-
Cache:
81-
config:
82-
dir: packages/orchestrator/internal/sandbox/template/peerserver/mocks
83-
filename: mockcache.go
84-
pkgname: peerservermocks
85-
86-
github.com/e2b-dev/infra/packages/orchestrator/internal/sandbox/template:
87-
interfaces:
88-
Template:
89-
config:
90-
dir: packages/orchestrator/internal/sandbox/template/mocks
91-
filename: mocktemplate.go
92-
pkgname: templatemocks
93-
File:
94-
config:
95-
dir: packages/orchestrator/internal/sandbox/template/mocks
96-
filename: mockfile.go
97-
pkgname: templatemocks
98-
9962

10063
io:
10164
interfaces:
@@ -121,29 +84,3 @@ packages:
12184
filename: mockfeatureflagsclient.go
12285
pkgname: handlersmocks
12386
structname: MockFeatureFlagsClient
124-
125-
github.com/willscott/go-nfs:
126-
interfaces:
127-
Handler:
128-
config:
129-
dir: packages/orchestrator/internal/nfsproxy/mocks
130-
filename: nfshandler.go
131-
pkgname: nfsproxymocks
132-
133-
github.com/go-git/go-billy/v5:
134-
interfaces:
135-
Change:
136-
config:
137-
dir: packages/orchestrator/internal/nfsproxy/mocks
138-
filename: billychange.go
139-
pkgname: nfsproxymocks
140-
File:
141-
config:
142-
dir: packages/orchestrator/internal/nfsproxy/mocks
143-
filename: billyfile.go
144-
pkgname: nfsproxymocks
145-
Filesystem:
146-
config:
147-
dir: packages/orchestrator/internal/nfsproxy/mocks
148-
filename: billyfs.go
149-
pkgname: nfsproxymocks

iac/modules/job-orchestrator/jobs/orchestrator.hcl

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -119,6 +119,13 @@ job "orchestrator-${latest_orchestrator_job_id}" {
119119
%{ if persistent_volume_mounts != "" }
120120
PERSISTENT_VOLUME_MOUNTS = "${persistent_volume_mounts}"
121121
%{ endif }
122+
123+
%{ for key, value in job_env_vars }
124+
%{ if value != "" }
125+
${ key } = "${ value }"
126+
%{ endif }
127+
%{ endfor }
128+
122129
}
123130

124131
config {

iac/modules/job-orchestrator/main.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ locals {
3131
artifact_source = var.artifact_source
3232

3333
use_local_namespace_storage = var.use_local_namespace_storage
34+
job_env_vars = var.job_env_vars
3435
}
3536

3637
# Render with placeholder to detect changes in job definition

iac/modules/job-orchestrator/variables.tf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,3 +143,8 @@ variable "persistent_volume_mounts" {
143143
type = map(string)
144144
default = {}
145145
}
146+
147+
variable "job_env_vars" {
148+
type = map(string)
149+
default = {}
150+
}

iac/provider-gcp/main.tf

Lines changed: 30 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -61,25 +61,39 @@ locals {
6161
// Check if all clusters has size greater than 1
6262
template_manages_clusters_size_gt_1 = alltrue([for c in var.build_clusters_config : (c.cluster_size > 1)])
6363

64+
// for more docs, see https://linux.die.net/man/5/nfs
65+
default_persistent_volume_type_nfs_mount_options = [
66+
// network
67+
"hard", // retry nfs requests indefinitely until they succeed, never fail
68+
"async", // write eventually
69+
"nconnect=7", // use multiple connections
70+
"noresvport", // use a non-privileged source port
71+
"retrans=3", // retry two times before performing recovery actions
72+
"timeo=600", // wait 60 seconds (measured in deci-seconds) before retrying a failed request
73+
74+
// resiliency
75+
"fg", // wait for mounts to finish before exiting
76+
"cto", // enable "close-to-open" attribute checks
77+
"lock", // enable network locking
78+
"local_lock=none", // all locks are network locks
79+
80+
// caching
81+
"noac", // disable attribute caching. slower, but more reliable
82+
"lookupcache=none", // disable lookup caching
83+
84+
// security
85+
"noacl", // do not use an acl
86+
"sec=sys", // use AUTH_SYS for all requests
87+
]
88+
6489
persistent_volume_types = {
6590
for key, config in var.persistent_volume_types : key => {
6691
local_mount_path = "/mnt/persistent-volume-types/${key}"
6792
nfs_location = module.persistent-volume-types[key].nfs_location
68-
nfs_mount_opts = join(",", [ // for more docs, see https://linux.die.net/man/5/nfs
69-
format("nfsvers=%s", module.persistent-volume-types[key].nfs_version),
70-
"sync", // write immediately
71-
"hard", // retry nfs requests indefinitely until they succeed, never fail
72-
"lookupcache=none", // disable the lookup cache
73-
"nconnect=7", // use multiple connections
74-
"noac", // disable attribute cache
75-
"noacl", // do not use an acl
76-
"cto", // enable "close-to-open" attribute checks
77-
"nolock", // do not use locking
78-
"noresvport", // use a non-privileged source port
79-
"retrans=2", // retry two times before performing recovery actions
80-
"sec=sys", // use AUTH_SYS for all requests
81-
"timeo=600", // wait 60 seconds (measured in deci-seconds) before retrying a failed request
82-
])
93+
nfs_mount_opts = join(",", concat(
94+
[format("nfsvers=%s", module.persistent-volume-types[key].nfs_version)],
95+
config.mount_options != null ? config.mount_options : local.default_persistent_volume_type_nfs_mount_options,
96+
))
8397
}
8498
}
8599
}
@@ -272,6 +286,7 @@ module "nomad" {
272286
envd_timeout = var.envd_timeout
273287
persistent_volume_mounts = { for key, config in local.persistent_volume_types : key => config["local_mount_path"] }
274288
default_persistent_volume_type = var.default_persistent_volume_type
289+
orchestrator_env_vars = var.orchestrator_env_vars
275290

276291
# Template manager
277292
builder_node_pool = var.build_node_pool

iac/provider-gcp/nomad/main.tf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -434,6 +434,8 @@ module "orchestrator" {
434434
domain_name = var.domain_name
435435
shared_chunk_cache_path = var.shared_chunk_cache_path
436436
launch_darkly_api_key = trimspace(data.google_secret_manager_secret_version.launch_darkly_api_key.secret_data)
437+
438+
job_env_vars = var.orchestrator_env_vars
437439
}
438440

439441
data "google_storage_bucket_object" "template_manager" {

iac/provider-gcp/nomad/variables.tf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -477,3 +477,8 @@ variable "gcs_grpc_connection_pool_size" {
477477
description = "Number of gRPC connections in the GCS connection pool"
478478
type = number
479479
}
480+
481+
variable "orchestrator_env_vars" {
482+
type = map(string)
483+
default = {}
484+
}

iac/provider-gcp/persistent-volume-types/main.tf

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,4 +21,13 @@ resource "google_filestore_instance" "persistent-volumes" {
2121
modes = ["MODE_IPV4"]
2222
network = var.network_name
2323
}
24+
25+
dynamic "performance_config" {
26+
for_each = var.performance_config == null ? [] : [var.performance_config]
27+
content {
28+
fixed_iops {
29+
max_iops = performance_config.value.max_iops
30+
}
31+
}
32+
}
2433
}

iac/provider-gcp/persistent-volume-types/variables.tf

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,3 +37,10 @@ variable "capacity_gb" {
3737
variable "network_name" {
3838
type = string
3939
}
40+
41+
variable "performance_config" {
42+
type = object({
43+
max_iops = optional(number)
44+
})
45+
default = null
46+
}

iac/provider-gcp/persistent-volumes.tf

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,13 @@ module "persistent-volume-types" {
33

44
for_each = var.persistent_volume_types
55

6-
allow_deletion = each.value.allow_deletion
7-
capacity_gb = each.value.capacity_gb
8-
key = each.key
9-
location = each.value.location
10-
network_name = var.network_name
11-
nfs_version = each.value.nfs_version
12-
prefix = var.prefix
13-
tier = each.value.tier
6+
allow_deletion = each.value.allow_deletion
7+
capacity_gb = each.value.capacity_gb
8+
key = each.key
9+
location = each.value.location
10+
network_name = var.network_name
11+
nfs_version = each.value.nfs_version
12+
prefix = var.prefix
13+
tier = each.value.tier
14+
performance_config = each.value.performance_config
1415
}

0 commit comments

Comments
 (0)