Docker sandboxing - Please suggest the best alternative way to do what I'm doing (unless there's none) --thanks

Docker Hub
1

Hello,

I’m a new Docker user. I need to do the following:

  1. Compile and run a random user’s C++ program on my machine (along with my own additions to their code)
  2. Capture the output and process it locally.

I’m running docker on an Amazon AWS Linux micro instance. I did the following:

  1. Customized and built an Ubuntu image called sandbox which has all the packages I need (g++, valgrind, make, etc.)

  2. In a different directory which contains my pre-req files, I copy over the user’s files. Then I build a new docker image from this directory which builds using the sandbox base image. My Docker file says:

   FROM sandbox
   COPY . /sandbox
   RUN make

Then I run a Docker build command from my local environment as follows:

307 {aws-028}testcpp: docker build --tag=test .
Sending build context to Docker daemon  35.33kB
Step 1/5 : FROM        sandbox
 ---> 42fdf2be6912
Step 2/5 : MAINTAINER  AVFILT
 ---> Running in d5531528333c
Removing intermediate container d5531528333c
 ---> 561070a04095
Step 3/5 : WORKDIR /sandbox
 ---> Running in 7d1afb32f3ef
Removing intermediate container 7d1afb32f3ef
 ---> e416508e5180
Step 4/5 : COPY . /sandbox
 ---> 8392a378a6a2
Step 5/5 : RUN make
 ---> Running in bf041f3a5353
g++ -Wall -O0 -std=c++0x *.cpp 
valgrind ./a.out  # >a.log 2>&1
==22== Memcheck, a memory error detector
==22== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==22== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==22== Command: ./a.out
==22== 
Success. All tests passed. Congratulations.
==22== 
==22== HEAP SUMMARY:
==22==     in use at exit: 72,704 bytes in 1 blocks
==22==   total heap usage: 3,881 allocs, 3,880 frees, 524,711 bytes allocated
==22== 
==22== LEAK SUMMARY:
==22==    definitely lost: 0 bytes in 0 blocks
==22==    indirectly lost: 0 bytes in 0 blocks
==22==      possibly lost: 0 bytes in 0 blocks
==22==    still reachable: 72,704 bytes in 1 blocks
==22==         suppressed: 0 bytes in 0 blocks
==22== Rerun with --leak-check=full to see details of leaked memory
==22== 
==22== For counts of detected and suppressed errors, rerun with: -v
==22== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Removing intermediate container bf041f3a5353
 ---> 9cf23028b470
Successfully built 9cf23028b470
Successfully tagged test:latest

I capture the above output into a local file and then process it using a script.

My question: Is this the best way to accomplish what I want (essentially the output of make and valgrind)?

If I do this iteratively a number of times, can I assume that each run will not leave behind dangling data to be cleaned up (and eventually run out of disk space)?

Thank you very much,

&

2

You’ll end up with a new image evertime you “docker build” so you’ll have to delete those eventually. Also, you are not really running containers, but just looking at side effects of building images, so that is not really what Docker is supposed to do for you.

When I use Docker for building, I have one image with the compiler, libraries etc. in it and then run a container with the build directory mounted as a volume. So “make” is issued when I “docker run” the container, not while building the image. The container itself is then stateless, but the build directory must still be maintained of course.

1 Like
3

Chris,

Thanks very much. You gave me exactly the information I needed.

Now I do:

docker run -v /usr/local/path/to/my/host/directory:/sandbox sandbox make
g++ -Wall -O0 -std=c++0x *.cpp 
valgrind ./a.out  # >a.log 2>&1
==21== Memcheck, a memory error detector
==21== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==21== Command: ./a.out
==21== 
Success. All tests passed. Congratulations.
==21== 
==21== HEAP SUMMARY:
==21==     in use at exit: 72,704 bytes in 1 blocks
==21==   total heap usage: 3,881 allocs, 3,880 frees, 524,270 bytes allocated
==21== 
==21== LEAK SUMMARY:
==21==    definitely lost: 0 bytes in 0 blocks
==21==    indirectly lost: 0 bytes in 0 blocks
==21==      possibly lost: 0 bytes in 0 blocks
==21==    still reachable: 72,704 bytes in 1 blocks
==21==         suppressed: 0 bytes in 0 blocks
==21== Rerun with --leak-check=full to see details of leaked memory
==21== 
==21== For counts of detected and suppressed errors, rerun with: -v
==21== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Is this a good (or best) way to do it?

Thank you again.

&

4

Looks reasonable to me.

1 Like