ZDDC
cef7188a77
The bwrap engine + OCI engine that lived in internal/convert/runner.go
both leak isolation policy into Go code. Replaced with a single image-
side wrapper that drop-in-shadows pandoc and chromium-browser on PATH.
zddc-server's only contract with the image is now "exec.Command(name,
args) gets you that tool's behavior" — sandboxing, resource caps, and
namespace setup live entirely in shell scripts shipped by the image.
Architecture:
- zddc/runtime/zddc-cgroup-init runs at container start. cgroup v2's
"no internal processes" constraint forbids a cgroup from having both
children and processes; the init script moves PID 1 into a child,
enables +memory +pids in subtree_control, then exec's zddc-server.
Best-effort: degrades cleanly to "no resource caps" if cgroupfs
isn't writable.
- zddc/runtime/zddc-sandbox-exec is the per-call wrapper, symlinked
from /usr/local/bin/{pandoc,chromium-browser}. Creates a transient
cgroup v2 (memory.max + pids.max), then bubblewrap-sandboxes the
real binary at /usr/bin/<name>: --unshare-all, --ro-bind /usr,
--proc /proc, --tmpfs /tmp, --clearenv. Caller's scratch dir comes
in via ZDDC_SCRATCH env and is bind-mounted at the SAME path so
absolute paths round-trip unchanged.
Go simplifications (~250 lines net deletion):
- Runner interface: Run(ctx, binary, stdin, scratchDir, cmd) — no
ToolSpec, no mount list, no engine concept. Single localRunner
implementation; bwrapRunner + containerRunner both deleted.
- health.Probe just looks up pandoc + chromium on PATH; Capabilities
drops engine kinds.
- Convert.go: ToHTML/ToPDF write to a per-call scratch dir under
TMPDIR and pass absolute paths; the wrapper bind-mounts the dir.
No more "/tpl" / "/pdf" mount-point indirection.
- Config drops --convert-pandoc-image, --convert-chromium-image,
--convert-engine, --convert-podman-socket (OCI engine gone) and
--convert-cpus (CPU caps don't apply in the new model — wall-clock
+ memory + pids is the cap set). Defaults raised to match the new
caps the user authorized: mem 512→1024 MiB, pids 100→256,
timeout 30→60 s.
Image:
- zddc/runtime.Containerfile builds the production runtime image
(alpine + bubblewrap + pandoc + chromium + font-noto). Two
COPY statements pull in the wrapper scripts; ln -s symlinks the
shadow names.
- bitnest dev image mirrors this layout under /var/lib/zddc-dev-build/.
Container privilege required:
- Nested bwrap needs the outer container to permit user + mount
namespace creation + MS_SLAVE on root. The default seccomp +
AppArmor profiles block all of these. Quadlet adds:
--cap-add=ALL
--security-opt=seccomp=unconfined
--security-opt=apparmor=unconfined
--security-opt=unmask=ALL
Helm chart sets the equivalent via securityContext (capabilities.
add: SYS_ADMIN, seccompProfile.type: Unconfined, appArmorProfile.
type: Unconfined). Trade-off documented in AGENTS.md: zddc-server
RCE now has near-root power within the container, but the bind-
mount layout still bounds blast radius; bwrap is the real boundary
between zddc-server and untrusted markdown.
Tests: convert_test.go fully rewritten for the new Runner signature.
Drops TestBwrapArgs_* (functionality moved out of Go) and
TestImageTag (no more image refs). All 15 Go test packages green.
Verified live on bitnest: pandoc --version round-trip exits 0
through the wrapper; MD→DOCX produces a valid Word 2007+ file
end-to-end.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
56 lines
2.4 KiB
Text
56 lines
2.4 KiB
Text
# Runtime image for zddc-server.
|
|
#
|
|
# Bundles the conversion toolchain (pandoc + chromium + bubblewrap)
|
|
# AND two wrapper scripts that shadow the real binaries on PATH.
|
|
# When zddc-server exec's "pandoc" or "chromium-browser", it hits
|
|
# /usr/local/bin/pandoc (a symlink to runtime/zddc-sandbox-exec),
|
|
# which:
|
|
#
|
|
# 1. creates a transient cgroup v2 with memory + pids caps,
|
|
# 2. drops the process into that cgroup,
|
|
# 3. wraps the real binary in a bubblewrap sandbox (private
|
|
# namespaces, read-only /usr, fresh tmpfs at /tmp, no network),
|
|
# 4. exec's /usr/bin/<name>.
|
|
#
|
|
# zddc-server's Go code is unaware of any of this — its only contract
|
|
# is "if I exec pandoc with these args, I get pandoc behavior." The
|
|
# isolation strategy lives entirely in the image; an operator who
|
|
# wants firejail / systemd-nspawn / podman-run instead just replaces
|
|
# the wrapper script and the binary code keeps working.
|
|
#
|
|
# Used by helm charts (helm/zddc-server-prod/) as the main-container
|
|
# image. The binary is built by the chart's init container from a
|
|
# pinned git ref and copied into a shared emptyDir; the chart's
|
|
# command is /usr/local/libexec/zddc-cgroup-init /zddc/zddc-server,
|
|
# so the cgroup v2 hierarchy is delegated before zddc-server starts
|
|
# (see runtime/zddc-cgroup-init for the "no internal processes"
|
|
# constraint that requires this indirection).
|
|
#
|
|
# Build:
|
|
# podman build -t zddc-server-runtime:latest \
|
|
# -f zddc/runtime.Containerfile zddc/
|
|
#
|
|
# Publish (example):
|
|
# podman tag zddc-server-runtime:latest \
|
|
# codeberg.org/varasys/zddc-server-runtime:vYYYYMMDD
|
|
# podman push codeberg.org/varasys/zddc-server-runtime:vYYYYMMDD
|
|
#
|
|
# Size: ≈ 1 GB unpacked (chromium dominates).
|
|
FROM docker.io/library/alpine:3
|
|
|
|
RUN apk add --no-cache \
|
|
bubblewrap \
|
|
pandoc-cli \
|
|
chromium \
|
|
font-noto \
|
|
ca-certificates
|
|
|
|
# Wrapper scripts. zddc-cgroup-init runs at container start to
|
|
# prepare cgroup v2 subtree_control delegation; zddc-sandbox-exec
|
|
# is invoked per-conversion via the symlinks below.
|
|
COPY runtime/zddc-cgroup-init /usr/local/libexec/zddc-cgroup-init
|
|
COPY runtime/zddc-sandbox-exec /usr/local/libexec/zddc-sandbox-exec
|
|
RUN chmod 0755 /usr/local/libexec/zddc-cgroup-init \
|
|
/usr/local/libexec/zddc-sandbox-exec \
|
|
&& ln -s /usr/local/libexec/zddc-sandbox-exec /usr/local/bin/pandoc \
|
|
&& ln -s /usr/local/libexec/zddc-sandbox-exec /usr/local/bin/chromium-browser
|