/rserve-sandbox

Docker spec for running Rserve in a sandbox

Primary LanguageDockerfile

R Rserve docker image for safe execution

This directory builds a docker image that safely executes Rserve. Rserve connections use a Unix domain socket, such that that container can be started with the --net=none to deny it any access to a network. The socket is created in the volume /rserve and names socket. There are two ways to make the socket available:

  1. Start using --name=rserve. This makes the socket available from embedded volume. Other docket container can use --with-volumes-from rserve to get access to the Rserve socket.
```
docker run --net=none --name=rserve rserve
```
  1. Create a directory that is owned by a non-priviledged user/group and has its permissions set to provide access to the selected users. For example:
```
useradd -U --create-home --home=/home/rserve rserve
chmod 770 /home/rserve
```

Now, the image can be started using the command below, creating /home/rserve/socket. Note that the R server runs with the UID/GID of the mounted directory.

```
docker run --net=none -v /home/rserve:/rserve rserve
```

Safety

To protect the container, we

  • Run the container using --net=none to disable networking inside the container
  • Run Rserve as a non-priveleged user
  • Disable all executables using chmod 0, except for those needed to run R.

Installation

  • make image

    • Creates the docker image
  • make run

    • Starts the Rserve container. This creates a Unix domain socket /home/rserve/socket that allows for contacting the R server.

Customization

  • The entry point Rserve.sh accepts options to limit resources. Use the command below for details

    docker run rserve --help
    
  • Please edit Dockerfile to add additional R packages.