Execution sandboxing is a security feature that enables you to secure user access to data file locations on the server. Through provisioning of Docker execution containers on a per user basis, users will only have access to their own file upload location, their own temporary execution data location, and the shared file upload location, ensuring that users cannot access each others data files.
See:
- Configuring execution sandboxing on Linux
- Configuring execution sandboxing on Windows
- Advanced configuration of execution sandboxing
- User Defined mount mappings for execution sandboxing
In the following instructions:
-
<installDir>
Refers to the directory where Data360 Analyze is installed. -
<admin>
Refers to an admin user. On initial install, this will beadmin
. For an upgraded system, this is any valid admin user. -
<pass>
Refers to the password of the admin user. On an initial install, this will bewelcome
. -
<net>
Refers to the name of the network within which the Analyze docker containers are to run.
Configuring execution sandboxing on Linux
Follow the steps in the Data360 Analyze Server Installation Guide to perform a normal installation or upgrade, then follow the steps in this section to enable execution sandboxing on Linux.
Prerequisites
- Docker version 20.10 or later is installed on the same instance as the Data360 Analyze server.
- The user that runs Data360 Analyze is a member of the Docker group.
- Data360 Analyze is running.
- Login to the machine where Data360 Analyze is running as the installer user.
- Run the following commands to enable the execution sandboxing feature:
cd <installDir>/
source .profile.lavastorm
bin/laeConfig executionContainers enable --user <admin> --password <pass> --processingUser <d3saProcUser> --createNetwork <net>
The
--processingUser <d3saProcUser>
argument should not be provided if you have configured a multi-user installation.For more advanced options when running the above executionContainers enable command, see Advanced configuration of execution sandboxing.
- Restart Data360 Analyze, see Starting / stopping the server on Linux.
Configuring execution sandboxing on Windows
Follow the steps in the Data360 Analyze Server Installation Guide to perform a normal installation or upgrade, then follow the steps in this section to enable execution sandboxing on Windows.
Prerequisites
- Mirantis Container Runtime version 20.10 or later is installed on the same instance as the Data360 Analyze server.
- The user that runs Data360 Analyze has permissions to create, start, stop and destroy containers in Docker.
- Data360 Analyze is running.
- Login to the machine where Data360 Analyze is running.
- Open a cmd window and run the following:
cd <installDir>/bin
laeConfig.bat executionContainers enable --user <admin> --password <pass> --createNetwork <net>
- Restart the Data360 Analyze services, see Starting / stopping the server on Windows Server.
This configures to use Docker execution containers for data and execution sandboxing and these containers will run within the <net> network. The <net> network will be created in Docker.
This will download and build the necessary Docker image and create a containers.prop file in the <site>/conf folder which defines how the containers are managed including container expiry time and the maximum number of containers that can be run at any given time.
User Defined mount mappings for execution sandboxing
The ls.brain.server.docker.mounts
property set in the cust.prop file
allows the user to define custom mounts in the Docker container.
When using the isolated docker execution containers, nodes can only access their temporary file storage locations, the shared folder and the user’s folder to which they can upload data in the Data360 Analyze. Other file system locations including mapped drives are not accessible. To make other locations accessible to all users the property must be specified in the ls.brain.server.docker.mounts
property.
The following example binds the external directory "D:/data/mydata
" to the directory "C:/mydata
" in the docker container and the external directory "D:/data/otherdata
" to the directory "C:/data
" in the docker container. Both "C:/mydata
" and "C:data
" are empty directories.
Specifying the targetDir
in a node allows it to access the sourceDir
.
ls.brain.server.docker.mounts=("sourceDir=D:/data/mydata targetDir=C:/mydata" "sourceDir=D:/data/otherdata targetDir=C:/data")