Public | Automated Build

Last pushed: 8 months ago
Short Description
Rserve provides a sandboxed R image for use with SWISH
Full Description

R Rserve docker image for safe execution

This directory builds a docker image that safely executes Rserve. Rserve
connections use a Unix domain socket, such that that container can be
started with the --net=none to deny it any access to a network. The
socket is created in the volume /rserve and names socket. There are
two ways to make the socket available:

  1. Start using --name=rserve. This makes the socket available from
    embedded volume. Other docket container can use --with-volumes-from rserve to get access to the Rserve socket.

    docker run --net=none --name=rserve rserve
    
  1. Create a directory that is owned by a non-priviledged user/group
    and has its permissions set to provide access to the selected users.
    For example:

    useradd -U --create-home --home=/home/rserve rserve
    chmod 770 /home/rserve
    

    Now, the image can be started using the command below, creating
    /home/rserve/socket. Note that the R server runs with the
    UID/GID of the mounted directory.

    docker run --net=none -v /home/rserve:/rserve rserve
    

Safety

To protect the container, we

  • Run the container using --net=none to disable networking inside
    the container
  • Run Rserve as a non-priveleged user
  • Disable all executables using chmod 0, except for those
    needed to run R.

Installation

  • make image

    • Creates the docker image
  • make run

    • Starts the Rserve container. This creates a Unix domain
      socket /home/rserve/socket that allows for contacting
      the R server.

Customization

  • The entry point Rserve.sh accepts options to limit resources.
    Use the command below for details

    docker run rserve --help
    
  • Please edit Dockerfile to add additional R packages.

Docker Pull Command
Owner
swipl
Source Repository