| # This is the environment that the untrusted playground programs run within |
| # under gvisor. |
| |
| ############################################################################ |
| # Import the sandbox server's container (which is assumed to be |
| # already built, as enforced by the Makefile), just so we can copy its |
| # binary out of it. The same binary is used as both as the server and the |
| # gvisor-contained helper. |
| FROM golang/playground-sandbox AS server |
| |
| ############################################################################ |
| # Temporary nacl compatibility for development & incremental |
| # deployment purposes, so we can run the new server architecture in |
| # nacl mode for a bit, then opt-in linux/amd64 gvisor mode, and |
| # then once Go 1.14 is out for real we remove the nacl option and |
| # delete all the nacl code. |
| FROM debian:buster AS nacl |
| RUN apt-get update && apt-get install -y --no-install-recommends curl bzip2 ca-certificates |
| RUN curl -s https://storage.googleapis.com/nativeclient-mirror/nacl/nacl_sdk/trunk.544461/naclsdk_linux.tar.bz2 | tar -xj -C /tmp --strip-components=2 pepper_67/tools/sel_ldr_x86_64 |
| |
| |
| ############################################################################ |
| # This is the actual environment things run in: a minimal busybox with glibc |
| # binaries so we can use cgo. |
| FROM busybox:glibc |
| |
| COPY --from=server /usr/local/bin/play-sandbox /usr/local/bin/play-sandbox |
| |
| # And this, temporarily, for being able to test the old nacl binaries |
| # with the new sandbox: |
| COPY --from=nacl /tmp/sel_ldr_x86_64 /usr/local/bin |
| |
| ENTRYPOINT ["/usr/local/bin/play-sandbox"] |