Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@nginx-gists

nginx-gists/app.go

Created August 11, 2020 01:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nginx-gists/f0bc6ce9d9ce067e96dda5fb763aa7c5 to your computer and use it in GitHub Desktop.
Save nginx-gists/f0bc6ce9d9ce067e96dda5fb763aa7c5 to your computer and use it in GitHub Desktop.
Download ZIP
Application Isolation with NGINX Unit
Raw
app.go
package main
import (
"encoding/json"
"fmt"
"net/http"
"unit.nginx.org/go"
"os"
"strconv"
)
type (
NS struct {
USER uint64
PID uint64
IPC uint64
CGROUP uint64
UTS uint64
MNT uint64
NET uint64
}
Output struct {
PID int
UID int
GID int
NS NS
FileExists bool
}
)
func abortonerr(err error) {
if err != nil {
panic(err)
}
}
// returns: [nstype]:[4026531835]
func getns(nstype string) uint64 {
str, err := os.Readlink(fmt.Sprintf("/proc/self/ns/%s", nstype))
if err != nil {
return 0
}
str = str[len(nstype)+2:]
str = str[:len(str)-1]
val, err := strconv.ParseUint(str, 10, 64)
abortonerr(err)
return val
}
func handler(w http.ResponseWriter, r *http.Request) {
pid := os.Getpid()
out := &Output{
PID: pid,
UID: os.Getuid(),
GID: os.Getgid(),
NS: NS{
PID: getns("pid"),
USER: getns("user"),
MNT: getns("mnt"),
IPC: getns("ipc"),
UTS: getns("uts"),
NET: getns("net"),
CGROUP: getns("cgroup"),
},
}
err := r.ParseForm()
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
return
}
if fname := r.Form.Get("file"); fname != "" {
_, err = os.Stat(fname);
out.FileExists = err == nil
}
data, err := json.Marshal(out)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
return
}
w.Header().Add("Content-Type", "application/json")
w.Write(data)
}
func main() {
http.HandleFunc("/", handler)
unit.ListenAndServe(":7080", nil)
}
Raw
go_app.json
{
"listeners": {
"*:8080": {
"pass": "applications/go-app"
}
},
"applications": {
"go-app": {
"type": "external",
"executable": "/tmp/go-app"
}
}
}
Raw
go_app_with_isolation.json
{
"listeners": {
"*:8080": {
"pass": "applications/go-app"
}
},
"applications": {
"go-app": {
"type": "external",
"user": "root",
"executable": "/tmp/go-app",
"isolation": {
"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": true,
"pid": true,
"uname": true
},
"uidmap": [
{
"host": 1000,
"container": 0,
"size": 1000
}
],
"gidmap": [
{
"host": 1000,
"container": 0,
"size": 1000
}
]
}
}
}
}
Raw
isolation_credential.json
{
"applications": {
"isolation_app": {
"type": "external",
"executable": "/bin/app",
"isolation": {
"namespaces": {
"credential": true
},
"uidmap": [
{
"container": 0,
"host": 500,
"size": 10
}
],
"gidmap": [
{
"container": 0,
"host": 1000,
"size": 20
}
]
}
}
}
}
Raw
isolation_namespaces.json
{
"applications": {
"isolation_app": {
"type": "external",
"executable": "/tmp/go-app",
"isolation": {
"namespaces": {
"credential": true,
"mount": "true"
}
}
}
}
}
@nginx-gists
Copy link
Author

For a discussion of these files, see Application Isolation with NGINX Unit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment