Skip to content

Instantly share code, notes, and snippets.

@t-tera
Last active Aug 10, 2018
Embed
What would you like to do?
Imagic
#!/bin/sh
# Dummy identify, mogrify (bash script)
# ・Limit number of IM processes by file lock
# ・Limit IM's memory and CPU usage by nested cgroup
echo 0 > /proc/self/oom_score_adj
readonly MAX_PROC=3
readonly MAX_MEM="256M"
readonly MAX_CPU="100000"
readonly GNAME="imagic_grp/tmp_$$.$RANDOM"
readonly IM_CMD="/usr/bin/${0##*/}"
for ((i=0; i<$MAX_PROC; i++)); do
exec 9> "tmp/.imagic_lock${i}"
flock -n 9
if [ $? = 0 ]; then
cgcreate -g "memory,cpu:$GNAME"
echo 1 > "/sys/fs/cgroup/cpu/$GNAME/notify_on_release"
echo 1 > "/sys/fs/cgroup/memory/$GNAME/notify_on_release"
cgset -r "memory.limit_in_bytes=$MAX_MEM" -r memory.swappiness=0 "$GNAME"
cgset -r "cpu.cfs_quota_us=$MAX_CPU" -r cpu.cfs_period_us=100000 "$GNAME"
exec cgexec -g "memory,cpu:$GNAME" -- "$IM_CMD" "$@"
else
echo "lockfailed ${i}" >&2
fi
done
exit 1
name: "imagemagick-identify_2.3"
description: "Imagic identify config taken from https://gist.github.com/patf/d4d533e3dd8ff981667405059df99b6b#file-imagemagick-identify-cfg"
description: "For JPEG/GIF/PNG processing on ImageMagick 6.8.9-9 (Ubuntu 16.04.4) + nsjail 2.3"
mode: ONCE
hostname: "IM-IDENTIFY"
time_limit: 10
#time_limit: 180
envar: "HOME=/var/www/rails_projects/"
envar: "TMP=/var/www/rails_projects/nsjail_tmp"
# Memory (MB)
rlimit_as: 384
# CPU time (sec?)
rlimit_cpu: 1000
# Size of output file (MB, applied only to mogrify)
rlimit_fsize: 30
# Not effective because I have "on-memory" IM policy
rlimit_nofile: 64
#cgroup_mem_max: 1000000000
#cgroup_mem_parent: "nsjail_imagick_cg_parent_grp"
mount {
src: "/lib"
dst: "/lib"
is_bind: true
}
mount {
src: "/usr/lib"
dst: "/usr/lib"
is_bind: true
}
mount {
src: "/lib64"
dst: "/lib64"
is_bind: true
mandatory: false
}
mount {
src: "/home/tterada/tmp"
dst: "/home/tterada/tmp"
rw: true
is_bind: true
}
mount {
src: "/etc/ImageMagick-6"
dst: "/etc/ImageMagick-6"
is_bind: true
mandatory: false
}
mount {
src: "/var/www/rails_projects/first_books_app/tmp"
dst: "/var/www/rails_projects/first_books_app/tmp"
is_bind: true
}
mount {
src: "/var/www/rails_projects/nsjail_tmp"
dst: "/var/www/rails_projects/nsjail_tmp"
is_bind: true
}
seccomp_string: "POLICY imagemagick_identify {"
seccomp_string: " ALLOW {"
seccomp_string: " open, openat, read, write, close, newstat, newfstat,"
seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk,"
seccomp_string: " rt_sigaction, rt_sigprocmask, access, getpid,"
seccomp_string: " execveat, getdents, getcwd, readlink, getrlimit,"
seccomp_string: " sysinfo, times, arch_prctl, sched_getaffinity,"
seccomp_string: " set_tid_address, set_robust_list, exit_group,"
seccomp_string: " futex, pwrite64, unlink, getrusage, fchmod,"
seccomp_string: " clock_gettime, symlink, clone, wait4, mremap,"
seccomp_string: " prlimit64, madvise, gettid, pread64"
seccomp_string: " }"
seccomp_string: "}"
seccomp_string: "USE imagemagick_identify DEFAULT KILL"
exec_bin {
path: "/usr/bin/identify"
exec_fd: true
}
name: "imagemagick-mogrify_2.3"
description: "Imagic mogrify config taken from https://gist.github.com/patf/d4d533e3dd8ff981667405059df99b6b#file-imagemagick-convert-cfg and https://github.com/google/nsjail/blob/2.3/configs/imagemagick-convert.cfg"
description: "For JPEG/GIF/PNG processing on ImageMagick 6.8.9-9 (Ubuntu 16.04.4) + nsjail 2.3"
mode: ONCE
hostname: "IM-MOGRIFY"
time_limit: 10
#time_limit: 180
envar: "HOME=/var/www/rails_projects/"
envar: "TMP=/var/www/rails_projects/nsjail_tmp"
# See identify cfg for explanation
rlimit_as: 384
rlimit_cpu: 1000
rlimit_fsize: 30
rlimit_nofile: 64
#cgroup_mem_max: 1000000000
#cgroup_mem_parent: "nsjail_imagick_cg_parent_grp"
mount {
src: "/lib"
dst: "/lib"
is_bind: true
}
mount {
src: "/usr/lib"
dst: "/usr/lib"
is_bind: true
}
mount {
src: "/lib64"
dst: "/lib64"
is_bind: true
mandatory: false
}
mount {
src: "/home/tterada/tmp"
dst: "/home/tterada/tmp"
rw: true
is_bind: true
}
mount {
src: "/etc/ImageMagick-6"
dst: "/etc/ImageMagick-6"
is_bind: true
mandatory: false
}
mount {
src: "/var/www/rails_projects/nsjail_tmp"
dst: "/var/www/rails_projects/nsjail_tmp"
rw: true
is_bind: true
}
seccomp_string: "POLICY imagemagick_mogrify {"
seccomp_string: " ALLOW {"
seccomp_string: " rename, read, write, open, close, newstat, newfstat,"
seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk,"
seccomp_string: " rt_sigaction, rt_sigprocmask, pwrite64, access,"
seccomp_string: " getpid, execveat, getdents, unlink, fchmod,"
seccomp_string: " getrlimit, getrusage, sysinfo, times, futex,"
seccomp_string: " arch_prctl, sched_getaffinity, set_tid_address,"
seccomp_string: " clock_gettime, set_robust_list, exit_group,"
seccomp_string: " clone, getcwd, pread64, readlink"
seccomp_string: " }"
seccomp_string: "}"
seccomp_string: "USE imagemagick_mogrify DEFAULT KILL"
exec_bin {
path: "/usr/bin/mogrify"
exec_fd: true
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment