Awesome
R Rserve docker image for safe execution
This directory builds a docker image that safely executes Rserve. Rserve
connections use a Unix domain socket, such that the container can be
started with the --net=none
to deny it any access to a network. The
socket is created in the volume /rserve
and named socket
. There are
two ways to make the socket available:
- Start using
--name=rserve
. This makes the socket available from embedded volume. Other docket container can use--with-volumes-from rserve
to get access to the Rserve socket.
```
docker run --net=none --name=rserve rserve
```
2. Create a directory that is owned by a non-priviledged user/group and has its permissions set to provide access to the selected users. For example:
```
useradd -U --create-home --home=/home/rserve rserve
chmod 770 /home/rserve
```
Now, the image can be started using the command below, creating
/home/rserve/socket
. Note that the R server runs with the
UID/GID of the mounted directory.
```
docker run --net=none -v /home/rserve:/rserve rserve
```
Safety
To protect the container, we
- Run the container using
--net=none
to disable networking inside the container - Run
Rserve
as a non-priveleged user - Disable all executables using
chmod 0
, except for those needed to runR
.
Installation
-
make image
- Creates the docker image
-
make run
- Starts the Rserve container. This creates a Unix domain
socket
/home/rserve/socket
that allows for contacting the R server.
- Starts the Rserve container. This creates a Unix domain
socket
Customization
-
The entry point
Rserve.sh
accepts options to limit resources. Use the command below for detailsdocker run rserve --help
-
Please edit
Dockerfile
to add additional R packages.