back off from making gvisor sandboxing default in docker image (#178)

It looks like making gvisor sandboxing the default in our docker image is causing people trouble, so this backs off from that change. We retain gvisor's runsc executable in the image so that turning on sandboxing is just an environment variable setting away.

Lack of sandboxing is not good for users opening untrusted documents, so it would be good to be aggressive about turning it on, or communicating about it, so there's follow-up work needed. In the meantime I've updated the documentation about it somewhat.

See https://github.com/gristlabs/grist-core/issues/177
This commit is contained in:
Paul Fitzpatrick 2022-04-06 15:52:24 -04:00 committed by GitHub
parent 22807fce8e
commit a14eb92656
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 32 additions and 2 deletions

View File

@ -94,6 +94,14 @@ ADD plugins plugins
# started as: # started as:
# docker run -p 8484:8484 -it <image> # docker run -p 8484:8484 -it <image>
# Variables will need to be overridden for other setups. # Variables will need to be overridden for other setups.
#
# GRIST_SANDBOX_FLAVOR is set to unsandboxed by default, because it
# appears that the services people use to run docker containers have
# a wide variety of security settings and the functionality needed for
# sandboxing may not be possible in every case. For default docker
# settings, you can get sandboxing as follows:
# docker run --env GRIST_SANDBOX_FLAVOR=gvisor -p 8484:8484 -it <image>
#
ENV \ ENV \
PYTHON_VERSION_ON_CREATION=3 \ PYTHON_VERSION_ON_CREATION=3 \
GRIST_ORG_IN_PATH=true \ GRIST_ORG_IN_PATH=true \
@ -104,7 +112,7 @@ ENV \
GRIST_INST_DIR=/persist \ GRIST_INST_DIR=/persist \
GRIST_SESSION_COOKIE=grist_core \ GRIST_SESSION_COOKIE=grist_core \
GVISOR_FLAGS="-unprivileged -ignore-cgroups" \ GVISOR_FLAGS="-unprivileged -ignore-cgroups" \
GRIST_SANDBOX_FLAVOR=gvisor \ GRIST_SANDBOX_FLAVOR=unsandboxed \
TYPEORM_DATABASE=/persist/home.sqlite3 TYPEORM_DATABASE=/persist/home.sqlite3
EXPOSE 8484 EXPOSE 8484

View File

@ -50,6 +50,11 @@ Here are some specific feature highlights of Grist:
- Control access based on cell values and user attributes. - Control access based on cell values and user attributes.
* Can be self-maintained. * Can be self-maintained.
- Useful for intranet operation and specific compliance requirements. - Useful for intranet operation and specific compliance requirements.
* Sandboxing options for untrusted documents.
- On Linux or with docker, you can enable
[gVisor](https://github.com/google/gvisor) sandboxing at the individual
document level.
- On OSX, you can use native sandboxing.
If you are curious about where Grist is going heading, If you are curious about where Grist is going heading,
see [our roadmap](https://github.com/gristlabs/grist-core/projects/1), drop a see [our roadmap](https://github.com/gristlabs/grist-core/projects/1), drop a
@ -62,7 +67,7 @@ There are docker images set up for individual use, or (with some
configuration) for self-hosting. Grist Labs offers a hosted service configuration) for self-hosting. Grist Labs offers a hosted service
at [docs.getgrist.com](https://docs.getgrist.com). at [docs.getgrist.com](https://docs.getgrist.com).
To run Grist running on your computer with [Docker](https://www.docker.com/get-started), do: To get Grist running on your computer with [Docker](https://www.docker.com/get-started), do:
```sh ```sh
docker pull gristlabs/grist docker pull gristlabs/grist
@ -88,6 +93,10 @@ port mapping:
docker run --env PORT=9999 -p 9999:9999 -v $PWD/persist:/persist -it gristlabs/grist docker run --env PORT=9999 -p 9999:9999 -v $PWD/persist:/persist -it gristlabs/grist
``` ```
To enable gVisor sandboxing, set `--env GRIST_SANDBOX_FLAVOR=gvisor`.
This should work with default docker settings, but may not work in all
environments.
## Building from source ## Building from source
To build Grist from source, follow these steps: To build Grist from source, follow these steps:
@ -98,6 +107,19 @@ To build Grist from source, follow these steps:
yarn start yarn start
# Grist will be available at http://localhost:8484/ # Grist will be available at http://localhost:8484/
Grist formulas in documents will be run using Python executed directly on your
machine. You can configure sandboxing using a `GRIST_SANDBOX_FLAVOR`
environment variable.
* On OSX, `export GRIST_SANDBOX_FLAVOR=macSandboxExec`
uses the native `sandbox-exec` command for sandboxing.
* On Linux with [gVisor's runsc](https://github.com/google/gvisor)
installed, `export GRIST_SANDBOX_FLAVOR=gvisor` is an option.
These sandboxing methods have been written for our own use at Grist Labs and
may need tweaking to work in your own environment - pull requests
very welcome here!
## Logins ## Logins
Like git, Grist has features to track document revision history. So for full operation, Like git, Grist has features to track document revision history. So for full operation,