Last active
August 10, 2018 12:40
-
-
Save t-tera/d32e60da47451c7017022431f30f220d to your computer and use it in GitHub Desktop.
Imagic
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Dummy identify, mogrify (bash script) | |
# ・Limit number of IM processes by file lock | |
# ・Limit IM's memory and CPU usage by nested cgroup | |
echo 0 > /proc/self/oom_score_adj | |
readonly MAX_PROC=3 | |
readonly MAX_MEM="256M" | |
readonly MAX_CPU="100000" | |
readonly GNAME="imagic_grp/tmp_$$.$RANDOM" | |
readonly IM_CMD="/usr/bin/${0##*/}" | |
for ((i=0; i<$MAX_PROC; i++)); do | |
exec 9> "tmp/.imagic_lock${i}" | |
flock -n 9 | |
if [ $? = 0 ]; then | |
cgcreate -g "memory,cpu:$GNAME" | |
echo 1 > "/sys/fs/cgroup/cpu/$GNAME/notify_on_release" | |
echo 1 > "/sys/fs/cgroup/memory/$GNAME/notify_on_release" | |
cgset -r "memory.limit_in_bytes=$MAX_MEM" -r memory.swappiness=0 "$GNAME" | |
cgset -r "cpu.cfs_quota_us=$MAX_CPU" -r cpu.cfs_period_us=100000 "$GNAME" | |
exec cgexec -g "memory,cpu:$GNAME" -- "$IM_CMD" "$@" | |
else | |
echo "lockfailed ${i}" >&2 | |
fi | |
done | |
exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "imagemagick-identify_2.3" | |
description: "Imagic identify config taken from https://gist.github.com/patf/d4d533e3dd8ff981667405059df99b6b#file-imagemagick-identify-cfg" | |
description: "For JPEG/GIF/PNG processing on ImageMagick 6.8.9-9 (Ubuntu 16.04.4) + nsjail 2.3" | |
mode: ONCE | |
hostname: "IM-IDENTIFY" | |
time_limit: 10 | |
#time_limit: 180 | |
envar: "HOME=/var/www/rails_projects/" | |
envar: "TMP=/var/www/rails_projects/nsjail_tmp" | |
# Memory (MB) | |
rlimit_as: 384 | |
# CPU time (sec?) | |
rlimit_cpu: 1000 | |
# Size of output file (MB, applied only to mogrify) | |
rlimit_fsize: 30 | |
# Not effective because I have "on-memory" IM policy | |
rlimit_nofile: 64 | |
#cgroup_mem_max: 1000000000 | |
#cgroup_mem_parent: "nsjail_imagick_cg_parent_grp" | |
mount { | |
src: "/lib" | |
dst: "/lib" | |
is_bind: true | |
} | |
mount { | |
src: "/usr/lib" | |
dst: "/usr/lib" | |
is_bind: true | |
} | |
mount { | |
src: "/lib64" | |
dst: "/lib64" | |
is_bind: true | |
mandatory: false | |
} | |
mount { | |
src: "/home/tterada/tmp" | |
dst: "/home/tterada/tmp" | |
rw: true | |
is_bind: true | |
} | |
mount { | |
src: "/etc/ImageMagick-6" | |
dst: "/etc/ImageMagick-6" | |
is_bind: true | |
mandatory: false | |
} | |
mount { | |
src: "/var/www/rails_projects/first_books_app/tmp" | |
dst: "/var/www/rails_projects/first_books_app/tmp" | |
is_bind: true | |
} | |
mount { | |
src: "/var/www/rails_projects/nsjail_tmp" | |
dst: "/var/www/rails_projects/nsjail_tmp" | |
is_bind: true | |
} | |
seccomp_string: "POLICY imagemagick_identify {" | |
seccomp_string: " ALLOW {" | |
seccomp_string: " open, openat, read, write, close, newstat, newfstat," | |
seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk," | |
seccomp_string: " rt_sigaction, rt_sigprocmask, access, getpid," | |
seccomp_string: " execveat, getdents, getcwd, readlink, getrlimit," | |
seccomp_string: " sysinfo, times, arch_prctl, sched_getaffinity," | |
seccomp_string: " set_tid_address, set_robust_list, exit_group," | |
seccomp_string: " futex, pwrite64, unlink, getrusage, fchmod," | |
seccomp_string: " clock_gettime, symlink, clone, wait4, mremap," | |
seccomp_string: " prlimit64, madvise, gettid, pread64" | |
seccomp_string: " }" | |
seccomp_string: "}" | |
seccomp_string: "USE imagemagick_identify DEFAULT KILL" | |
exec_bin { | |
path: "/usr/bin/identify" | |
exec_fd: true | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "imagemagick-mogrify_2.3" | |
description: "Imagic mogrify config taken from https://gist.github.com/patf/d4d533e3dd8ff981667405059df99b6b#file-imagemagick-convert-cfg and https://github.com/google/nsjail/blob/2.3/configs/imagemagick-convert.cfg" | |
description: "For JPEG/GIF/PNG processing on ImageMagick 6.8.9-9 (Ubuntu 16.04.4) + nsjail 2.3" | |
mode: ONCE | |
hostname: "IM-MOGRIFY" | |
time_limit: 10 | |
#time_limit: 180 | |
envar: "HOME=/var/www/rails_projects/" | |
envar: "TMP=/var/www/rails_projects/nsjail_tmp" | |
# See identify cfg for explanation | |
rlimit_as: 384 | |
rlimit_cpu: 1000 | |
rlimit_fsize: 30 | |
rlimit_nofile: 64 | |
#cgroup_mem_max: 1000000000 | |
#cgroup_mem_parent: "nsjail_imagick_cg_parent_grp" | |
mount { | |
src: "/lib" | |
dst: "/lib" | |
is_bind: true | |
} | |
mount { | |
src: "/usr/lib" | |
dst: "/usr/lib" | |
is_bind: true | |
} | |
mount { | |
src: "/lib64" | |
dst: "/lib64" | |
is_bind: true | |
mandatory: false | |
} | |
mount { | |
src: "/home/tterada/tmp" | |
dst: "/home/tterada/tmp" | |
rw: true | |
is_bind: true | |
} | |
mount { | |
src: "/etc/ImageMagick-6" | |
dst: "/etc/ImageMagick-6" | |
is_bind: true | |
mandatory: false | |
} | |
mount { | |
src: "/var/www/rails_projects/nsjail_tmp" | |
dst: "/var/www/rails_projects/nsjail_tmp" | |
rw: true | |
is_bind: true | |
} | |
seccomp_string: "POLICY imagemagick_mogrify {" | |
seccomp_string: " ALLOW {" | |
seccomp_string: " rename, read, write, open, close, newstat, newfstat," | |
seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk," | |
seccomp_string: " rt_sigaction, rt_sigprocmask, pwrite64, access," | |
seccomp_string: " getpid, execveat, getdents, unlink, fchmod," | |
seccomp_string: " getrlimit, getrusage, sysinfo, times, futex," | |
seccomp_string: " arch_prctl, sched_getaffinity, set_tid_address," | |
seccomp_string: " clock_gettime, set_robust_list, exit_group," | |
seccomp_string: " clone, getcwd, pread64, readlink" | |
seccomp_string: " }" | |
seccomp_string: "}" | |
seccomp_string: "USE imagemagick_mogrify DEFAULT KILL" | |
exec_bin { | |
path: "/usr/bin/mogrify" | |
exec_fd: true | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment