Execution Server Configuration (2.X)

Execution Server Configuration

The execution server configuration is set in the file "/ etc/vpl/vpl-jail-system.conf ". The configuration file can contain blank lines and comments (lines beginning with #) and parameters of form "PARAMETER=VALUE" (No space allowed). The accepted parameters are:

JAILPATH Specifies the directory where the jail runtime file system is located. Default: "/jail "

MIN_PRISONER_UGID : Sets the first valid UID/GID for use as a temporary user. Default: 10000

MAX_PRISONER_UGID : Sets the last valid UID/GID for use as a temporary user. Default: 20000

MAXTIME : Maximum execution time in seconds for any request. Default 600

MAXFILESIZE : Maximum size in bytes of any new file. Default 64,000,000 .

MAXMEMORY : Maximum size in bytes of memory used by a task. Default 2000000000.

MAXPROCESSES : Maximum number of processes to run simultaneously on a task. Default 500

CONTROLPATH : Directory where the system stores information about requests in progress. Default "/var/vpl -jail-system"

TASK_ONLY_FROM : IPs or networks (type A, B or C ) from which execution requests are accepted. You can set multiple separated by spaces.  If this property is not set the server will accept requests from any machine that set the correct URLPATH. Default not set.

IP Format: Numeric notation . Example: 127.0.1.1

Network Format : Numeric notation by a period. Example: 10.1.

INTERFACE : Sets server IP that should be used to provide the service. By default the service is served on all server IPs.

PORT: Sets the server port number for http and ws. Default 80.

SECURE_PORT : Sets the server port number for https and wss. Default 443.

URLPATH: Represents the PATH expected in execution requests. It acts as a password, if the URL PATH in the execution request does not match, the request is rejected. By default "/"

Since version 2.1

FIREWALL: The service configures the linux firewall (iptables) when is started or stopped. This parameter accept numeric values from 0 to 4, this values represent the level of protection:
0: No firewall
1: Allow only incoming requests to the execution service, the outgoing requests are unlimited.
2: Allow only incoming requests to the execution service, the outgoing requests are limited to DNS and ports 80/443 (http), the superuser requests are unlimited.
3: Allow only incoming requests to the execution service, the outgoing requests are forbidden, the superuser requests are unlimited..
4: Allow only incoming requests to the execution service, the outgoing requests are forbidden.

If you want to update/upgrade your system and you are using firewall level 4 then you must first stop the vpl-jail-service.
The default value for this parameter is 0.

Since version 2.2

ENVPATH: This parameter set the value of the PATH environment variable to be used in the jail. This parameter removes problems with software that need a different PATH. By default, the jail system uses the value of the PATH of the root user. Also it is needed in OSes, like RedHat and related, where common users use a different PATH that root user. If you are using this type of OS you must take the value of the PATH enviroment variable of a common user (echo $PATH) and copy it here.

Changes from the 2.2 to 2.3 version

The main new of the 2.3 version is the change of file system used to replicate root directory on jail. This version includes some minor fixes and is compatible and interchangeable with the previous one.

The replication of the root file system is done with overlayfs, allowing to adapt the replica to the needs of the VPL-Jail-System easily and safe. To accelerate the execution and limit the file system changes, the users' home directory has been mounted as a tmpfs. Also the possibility of mounting the replica allowing SETUID has been added.

The use of the tmpfs removes the need of the "vncaccel.sh" script.

The new parameters to control these new features are:

  • USETMPFS. This switch allows the use of tmpfs for "/home" and the "/dev/shm" directories. Changing this switch to "false" can degrade the performance of the jail system. To deactivate this option use USETMPFS=false. The default value is USETMPFS=true.
  • HOMESIZE. This option set the size of the "/home" directory. The default value is 30% of the system memory. This option is applicable if using tmpfs file system for the "/home" directory.
  • SHMSIZE. This option set the size of the "/dev/shm" directory. The default value is 30% of the system memory. This option is applicable if using tmpfs file system for the "/dev/shm" directory.
  • ALLOWSUID. This switch allows the execution of programs with a suid bit inside the jail. This may be a security threat, use at your own risk. To activate this option, set ALLOWSUID=true.

Changes from the 2.3 to 2.4 version

The installer and service control script has been update to support systemd service manager. Versions before 2.4 use only system V service manager. The change allows to install vpl-jail-system on Linux distributions that use YUM or APT and systemd or system V. Other fixes and changes are:

  • The default log level has been increased to 3.
  • The size of the SSL key created when installing has been increase to 2048. New versions of OpenSSL lib require this size.
  • Improves the cleaning of finished tasks

Changes from the 2.4 to 2.5 version

From the first versions of the VPL jail service the system includes a logic to ban IPs with high number of failed requests. This feature now can be controlled with a new configuration numeric parameter called FAIL2BAN. The banning and the account of failed requests take periods of 5 minutes. If one IP does more than FAIL2BAN*20 failed requests and more failed request than succeeded then the IP is banned until the next period. The FAIL2BAN set to 0 stop the banning process. The default value of FAIL2BAN is 0 then this feature has been disable by default.

The structure of jail file systems has change to improve the compatibility and performance of the use of overlayFS in different O.S. configurations. Now the upper layer of the overlaid file system is on a tmpfs file system or, if you set the USETMPFS=false, is on a loop file system located at a sibling path to the control path (by default /var/vpl-jail-system.fs). IMPORTANT! if you set USETMPFS=false the you can not set HOMESIZE to a system memory percent, you must set HOMESIZE to an fixed value. The HOMESIZE value can be in megabyte or gigabyte. E.g.

  • HOMESIZE=8G
  • HOMESIZE=4500M

Updating/installing software

Never add manually files or folders to the jail folder. To upgrade or install new software into your execution server, just upgrade/install normally your software and restart the service.