Created
August 11, 2020 01:17
-
-
Save nginx-gists/f0bc6ce9d9ce067e96dda5fb763aa7c5 to your computer and use it in GitHub Desktop.
Application Isolation with NGINX Unit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"encoding/json" | |
"fmt" | |
"net/http" | |
"unit.nginx.org/go" | |
"os" | |
"strconv" | |
) | |
type ( | |
NS struct { | |
USER uint64 | |
PID uint64 | |
IPC uint64 | |
CGROUP uint64 | |
UTS uint64 | |
MNT uint64 | |
NET uint64 | |
} | |
Output struct { | |
PID int | |
UID int | |
GID int | |
NS NS | |
FileExists bool | |
} | |
) | |
func abortonerr(err error) { | |
if err != nil { | |
panic(err) | |
} | |
} | |
// returns: [nstype]:[4026531835] | |
func getns(nstype string) uint64 { | |
str, err := os.Readlink(fmt.Sprintf("/proc/self/ns/%s", nstype)) | |
if err != nil { | |
return 0 | |
} | |
str = str[len(nstype)+2:] | |
str = str[:len(str)-1] | |
val, err := strconv.ParseUint(str, 10, 64) | |
abortonerr(err) | |
return val | |
} | |
func handler(w http.ResponseWriter, r *http.Request) { | |
pid := os.Getpid() | |
out := &Output{ | |
PID: pid, | |
UID: os.Getuid(), | |
GID: os.Getgid(), | |
NS: NS{ | |
PID: getns("pid"), | |
USER: getns("user"), | |
MNT: getns("mnt"), | |
IPC: getns("ipc"), | |
UTS: getns("uts"), | |
NET: getns("net"), | |
CGROUP: getns("cgroup"), | |
}, | |
} | |
err := r.ParseForm() | |
if err != nil { | |
w.WriteHeader(http.StatusInternalServerError) | |
return | |
} | |
if fname := r.Form.Get("file"); fname != "" { | |
_, err = os.Stat(fname); | |
out.FileExists = err == nil | |
} | |
data, err := json.Marshal(out) | |
if err != nil { | |
w.WriteHeader(http.StatusInternalServerError) | |
return | |
} | |
w.Header().Add("Content-Type", "application/json") | |
w.Write(data) | |
} | |
func main() { | |
http.HandleFunc("/", handler) | |
unit.ListenAndServe(":7080", nil) | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"listeners": { | |
"*:8080": { | |
"pass": "applications/go-app" | |
} | |
}, | |
"applications": { | |
"go-app": { | |
"type": "external", | |
"executable": "/tmp/go-app" | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"listeners": { | |
"*:8080": { | |
"pass": "applications/go-app" | |
} | |
}, | |
"applications": { | |
"go-app": { | |
"type": "external", | |
"user": "root", | |
"executable": "/tmp/go-app", | |
"isolation": { | |
"namespaces": { | |
"cgroup": true, | |
"credential": true, | |
"mount": true, | |
"network": true, | |
"pid": true, | |
"uname": true | |
}, | |
"uidmap": [ | |
{ | |
"host": 1000, | |
"container": 0, | |
"size": 1000 | |
} | |
], | |
"gidmap": [ | |
{ | |
"host": 1000, | |
"container": 0, | |
"size": 1000 | |
} | |
] | |
} | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"applications": { | |
"isolation_app": { | |
"type": "external", | |
"executable": "/bin/app", | |
"isolation": { | |
"namespaces": { | |
"credential": true | |
}, | |
"uidmap": [ | |
{ | |
"container": 0, | |
"host": 500, | |
"size": 10 | |
} | |
], | |
"gidmap": [ | |
{ | |
"container": 0, | |
"host": 1000, | |
"size": 20 | |
} | |
] | |
} | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"applications": { | |
"isolation_app": { | |
"type": "external", | |
"executable": "/tmp/go-app", | |
"isolation": { | |
"namespaces": { | |
"credential": true, | |
"mount": "true" | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For a discussion of these files, see Application Isolation with NGINX Unit