back off from making gvisor sandboxing default in docker image (#178)

It looks like making gvisor sandboxing the default in our docker image is causing people trouble, so this backs off from that change. We retain gvisor's runsc executable in the image so that turning on sandboxing is just an environment variable setting away. Lack of sandboxing is not good for users opening untrusted documents, so it would be good to be aggressive about turning it on, or communicating about it, so there's follow-up work needed. In the meantime I've updated the documentation about it somewhat. See https://github.com/gristlabs/grist-core/issues/177
2026-03-02 04:09:24 +00:00 · 2022-04-06 15:52:24 -04:00
parent 22807fce8e
commit a14eb92656
2 changed files with 32 additions and 2 deletions
--- a/10
+++ b/10
@@ -94,6 +94,14 @@ ADD plugins plugins
 # started as:
 #   docker run -p 8484:8484 -it <image>
 # Variables will need to be overridden for other setups.
+#
+# GRIST_SANDBOX_FLAVOR is set to unsandboxed by default, because it
+# appears that the services people use to run docker containers have
+# a wide variety of security settings and the functionality needed for
+# sandboxing may not be possible in every case. For default docker
+# settings, you can get sandboxing as follows:
+#   docker run --env GRIST_SANDBOX_FLAVOR=gvisor -p 8484:8484 -it <image>
+#
 ENV \
  PYTHON_VERSION_ON_CREATION=3 \
  GRIST_ORG_IN_PATH=true \
@@ -104,7 +112,7 @@ ENV \
  GRIST_INST_DIR=/persist \
  GRIST_SESSION_COOKIE=grist_core \
  GVISOR_FLAGS="-unprivileged -ignore-cgroups" \
-  GRIST_SANDBOX_FLAVOR=gvisor \
+  GRIST_SANDBOX_FLAVOR=unsandboxed \
  TYPEORM_DATABASE=/persist/home.sqlite3

 EXPOSE 8484