Enabling execution sandboxing - 3.12

Data360 Analyze Server Help
Product
Data360 Analyze
Version
3.12
Language
English
Portfolio
Verify
Product family
Data360
Product name
Data360 Analyze
Title
Data360 Analyze Server Help
Copyright
2023
First publish date
2016

Execution sandboxing is a security feature that enables you to secure user access to data file locations on the server. Through provisioning of Docker execution containers on a per user basis, users will only have access to their own file upload location, their own temporary execution data location, and the shared file upload location, ensuring that users cannot access each others data files.

Note: Execution Sandboxing is currently not supported for Docker Desktop

See:

In the following instructions:

  • <installDir> Refers to the directory where Data360 Analyze is installed.
  • <admin> Refers to an admin user. On initial install, this will be admin. For an upgraded system, this is any valid admin user.
  • <pass> Refers to the password of the admin user. On an initial install, this will be welcome.
  • <net> Refers to the name of the network within which the Analyze docker containers are to run.
Note: When using Docker execution containers, by default, nodes can only access "My Folder", "Public" and temporary file storage locations. Other file system locations, including mapped drives, are not currently available unless they are explicitly configured as described in the section "User Defined mount mappings for execution sandboxing". Note that renaming a user would cause their "My Folder" location to become inaccessible. Before renaming a user, ensure that they have first copied their data into the Public folder, or have downloaded it from the server. Following the name change, they can upload their data to their new My Folder location. "My Folder" and "Public" are accessible via the upload and download buttons on the toolbar. These are Data360 Analyze server locations that you can use to store data that you want to upload or download for use in your data flows.

Configuring execution sandboxing on Linux

Follow the steps in the Data360 Analyze Server Installation Guide to perform a normal installation or upgrade, then follow the steps in this section to enable execution sandboxing on Linux.

Prerequisites

  • Docker version 20.10 or later is installed on the same instance as the Data360 Analyze server.
  • The user that runs Data360 Analyze is a member of the Docker group.
  • Data360 Analyze is running.

  1. Login to the machine where Data360 Analyze is running as the installer user.
  2. Run the following commands to enable the execution sandboxing feature:

    cd <installDir>/

    source .profile.lavastorm

    bin/laeConfig executionContainers enable --user <admin> --password <pass> --processingUser <d3saProcUser> --createNetwork <net>

    The --processingUser <d3saProcUser> argument should not be provided if you have configured a multi-user installation.

    For more advanced options when running the above executionContainers enable command, see Advanced configuration of execution sandboxing.

  3. Restart Data360 Analyze, see Starting / stopping the server on Linux.

Configuring execution sandboxing on Windows

Follow the steps in the Data360 Analyze Server Installation Guide to perform a normal installation or upgrade, then follow the steps in this section to enable execution sandboxing on Windows.

Note: It is recommended that you do not have your installation directory in a highly nested path when using Docker containers on Windows as the long path names can cause issues.

Prerequisites

  • Mirantis Container Runtime version 20.10 or later is installed on the same instance as the Data360 Analyze server.
  • The user that runs Data360 Analyze has permissions to create, start, stop and destroy containers in Docker.
  • Data360 Analyze is running.

  1. Login to the machine where Data360 Analyze is running.
  2. Open a cmd window and run the following:

    cd <installDir>/bin

    laeConfig.bat executionContainers enable --user <admin> --password <pass> --createNetwork <net>

  3. Restart the Data360 Analyze services, see Starting / stopping the server on Windows Server.

    This configures to use Docker execution containers for data and execution sandboxing and these containers will run within the <net> network. The <net> network will be created in Docker.

    This will download and build the necessary Docker image and create a containers.prop file in the <site>/conf folder which defines how the containers are managed including container expiry time and the maximum number of containers that can be run at any given time.

User Defined mount mappings for execution sandboxing

The ls.brain.server.docker.mounts property set in the cust.prop file allows the user to define custom mounts in the Docker container.

When using the isolated docker execution containers, nodes can only access their temporary file storage locations, the shared folder and the user’s folder to which they can upload data in the Data360 Analyze. Other file system locations including mapped drives are not accessible. To make other locations accessible to all users the property must be specified in the ls.brain.server.docker.mounts property.

Note: For Windows, due to docker limitations, the specified targetDir must be either a whole drive or an empty directory under C:/. The targetDir does not have to exist in the container.

The following example binds the external directory "D:/data/mydata" to the directory "C:/mydata" in the docker container and the external directory "D:/data/otherdata" to the directory "C:/data" in the docker container. Both "C:/mydata" and "C:data" are empty directories.

Specifying the targetDir in a node allows it to access the sourceDir.

ls.brain.server.docker.mounts=("sourceDir=D:/data/mydata targetDir=C:/mydata" "sourceDir=D:/data/otherdata targetDir=C:/data")