Commit Graph

11 Commits

Author SHA1 Message Date
Paul Fitzpatrick
a14eb92656
back off from making gvisor sandboxing default in docker image (#178)
It looks like making gvisor sandboxing the default in our docker image is causing people trouble, so this backs off from that change. We retain gvisor's runsc executable in the image so that turning on sandboxing is just an environment variable setting away.

Lack of sandboxing is not good for users opening untrusted documents, so it would be good to be aggressive about turning it on, or communicating about it, so there's follow-up work needed. In the meantime I've updated the documentation about it somewhat.

See https://github.com/gristlabs/grist-core/issues/177
2022-04-06 15:52:24 -04:00
George Gevoian
3482cd1045 Add support for arm64 Docker builds 2022-04-03 16:50:23 -07:00
Paul Fitzpatrick
134ae99e9a (core) add gvisor-based sandboxing to core
Summary:
This adds support for gvisor sandboxing in core. When Grist is run outside of a container, regular gvisor can be used (if on linux), and will run in rootless mode. When Grist is run inside a container, docker's default policy is insufficient for running gvisor, so a fork of gvisor is used that has less defence-in-depth but can run without privileges.

Sandboxing is automatically turned on in the Grist core container. It is not turned on automatically when built from source, since it is operating-system dependent.

This diff may break a complex method of testing Grist with gvisor on macs that I may have been the only person using. If anyone complains I'll find time on a mac to fix it :)

This diff includes a small "easter egg" to force document loads, primarily intended for developer use.

Test Plan: existing tests pass; checked that core and saas docker builds function

Reviewers: alexmojaki

Reviewed By: alexmojaki

Subscribers: alexmojaki

Differential Revision: https://phab.getgrist.com/D3333
2022-03-24 17:04:49 -04:00
Paul Fitzpatrick
4976dc2ace (core) persist logins across docker restarts by default
Summary:
Unless redis is configured, Grist will store information in a
grist-sessions.db file. For grist-core run using docker, this
file is not by default in the directory the documentation suggests
the user persist, and so is lost when Grist is updated. This
is an unexpected annoyance for users, and the configuration fix
is awkward to explain, so this diff changes the default.

Test Plan:
rebuilt image manually and verified it operated as
expected

Reviewers: georgegevoian

Differential Revision: https://phab.getgrist.com/D3217
2022-01-18 10:13:23 -05:00
Paul Fitzpatrick
5cdc7b2ea4 (core) freshen core README; support python3 in grist-core docker image
Summary:
This updates the grist-core README to list specific features of Grist,
to make it easier for a casual visitor to get a sense of its scope. Adds links
to some new resources (reviews, templates, grist v airtable post) that could
also help. Adds python3 to docker image so that templates work without fuss.

Test Plan: existing tests should pass

Reviewers: georgegevoian

Reviewed By: georgegevoian

Subscribers: dsagal, anaisconce

Differential Revision: https://phab.getgrist.com/D3204
2022-01-08 18:27:20 -05:00
Paul Fitzpatrick
d99db8d016 (core) move more tests to grist-core
Summary:
 * Tie build and run-time docker base images to a consistent version (buster)
 * Extend the test login system activated by GRIST_TEST_LOGIN to ease porting tests that currently rely on cognito (many)
 * Make org resets work in absence of billing endpoints
 * When in-memory session caches are used, add missing invalidation steps
 * Pass org information through sign-ups/sign-ins more carefully
 * For CORS, explicitly trust GRIST_HOST origin when set
 * Move some fixtures and tests to core, focussing on tests that cover existing failures or are in the set of tests run on deployments
 * Retain regular `test` target to run the test suite directly, without docker
 * Add a `test:smoke` target to run a single simple test without `GRIST_TEST_LOGIN` activated
 * Add a `test:docker` target to run the tests against a grist-core docker image - since tests rely on certain fixture teams/docs, added `TEST_SUPPORT_API_KEY` and `TEST_ADD_SAMPLES` flags to ease porting

The tests ported were `nbrowser` tests: `ActionLog.ts` (the first test I tend to port to anything, out of habit), `Fork.ts` (exercises a lot of doc creation paths), `HomeIntro.ts` (a lot of DocMenu exercise), and `DuplicateDocument.ts` (covers a feature known to be failing prior to this diff, the CORS tweak resolves it).

Test Plan: Manually tested via `buildtools/build_core.sh`. In follow up, I want to add running the `test:docker` target in grist-core's workflows. In jenkins, only the smoke test is run. There'd be an argument for running all tests, but they include particularly slow tests, and are duplicates of tests already run (in different configuration admittedly), so I'd like to try first just using them in grist-core to gate updates to any packaged version of Grist (the docker image currently).

Reviewers: alexmojaki

Reviewed By: alexmojaki

Subscribers: alexmojaki

Differential Revision: https://phab.getgrist.com/D3176
2021-12-10 18:33:07 -05:00
Paul Fitzpatrick
3a52755d94 (core) fix some rusting of the grist-core build
Summary:
 * Base docker image no longer contained a `python` binary.
   Made a small fix for this, with proper python3 packaging
   in the works separately.
 * Added missing plugins directory for importing csv+xlsx.
 * Tweaked environment variables to avoid needing to hard-code
   addresses, which was burdensome for single-server hosts.

Test Plan:
Tested manually. It would be good to move over some
fraction of our tests to catch packaging glitches, or to run
our standard deployment tests on a deployment derived from
grist-core.

Reviewers: jarek

Reviewed By: jarek

Subscribers: jarek

Differential Revision: https://phab.getgrist.com/D3159
2021-11-30 12:01:41 -05:00
Paul Fitzpatrick
37521a3612 (core) switch grist-core docker image to use node v14
Summary: As practice for upgrading node in regular grist images, this upgrades the grist-core image to v14.

Test Plan: manual

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2807
2021-05-10 15:23:45 -04:00
Paul Fitzpatrick
9f234b758d (core) freshen grist-core build
Summary:
 * adds a smoke test to grist-core
 * fixes a problem with highlight.js failing to load correctly
 * skips survey for default user
 * freshens docker build

Utility files in test/nbrowser are moved to core/test/nbrowser, so that gristUtils are available there. This increased the apparent size of the diff as "./" import paths needed replacing with "test/nbrowser/" paths. The utility files are untouched, except for the code to start a server - it now has a small grist-core specific conditional in it.

Test Plan: adds test

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2768
2021-04-03 09:41:06 -04:00
Paul Fitzpatrick
9287439e5a (core) give instructions on using Grist with docker
Summary: cleans up docker build and instructions.

Test Plan: docker image and instructions tested manually

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2648
2020-10-28 13:59:13 -04:00
Paul Fitzpatrick
4d3777578e (core) add Dockerfile for grist-core
Summary:
This adds a two-stage Dockerfile for grist-core. The first stage builds
Grist, and the second collects all files needed to run Grist.

The resulting image is about 600 MB which is quite a bit bigger
than it needs to be, but seems fine for now when the first goal is
to establish that people can open and edit Grist files on their
own infrastructure.

The image uses stock python rather than our sandboxed python for now.

Test Plan: manual

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2637
2020-10-12 15:45:22 -04:00