New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sandbox error #245

Closed
yihangho opened this Issue Feb 8, 2014 · 6 comments

Comments

2 participants
@yihangho
Copy link
Contributor

yihangho commented Feb 8, 2014

I receive this error

Compilation aborted because of sandbox error in `/tmp/tmpC0apCz'.

after submitting the solution for a batch task. Any idea what's wrong?

@lerks

This comment has been minimized.

Copy link
Member

lerks commented Feb 8, 2014

Could you set keep_sandbox to true (in the configuration file), reproduce the bug and then share with us the content of that /tmp/tmp... directory (either by attaching them to this issue or by uploading them somewhere else)?

@yihangho

This comment has been minimized.

Copy link
Contributor Author

yihangho commented Feb 8, 2014

There are 2 files in /tmp/tmp_NxZe5, they are batch.cpp and commands.log:

batch.cpp:

#include <cstdio>

int main() {
        int a, b;
        scanf("%d %d", &a, &b);
        printf("%d\n", a+b);
        return 0;
}

commands.log

mo-box -a 2 -c /tmp/tmp_NxZe5 -e -E TMPDIR=/tmp/tmp_NxZe5 -f -F -m 262144 -o /tmp/tmp_NxZe5/compiler_stdout.txt -p /etc/ -p /lib/ -p /usr/ -p /tmp/tmp_NxZe5/ -p /proc/self/exe -r /tmp/tmp_NxZe5/compiler_stderr.txt -s waitpid -s prlimit64 -t 10 -w 20 -M /tmp/tmp_NxZe5/run.log.0 -- /usr/bin/g++ -DEVAL -static -O2 -o batch batch.cpp
@lerks

This comment has been minimized.

Copy link
Member

lerks commented Feb 8, 2014

Could you verify that mo-box and g++ are correctly installed? Try to run these commands in a shell.

@yihangho

This comment has been minimized.

Copy link
Contributor Author

yihangho commented Feb 9, 2014

Yep, both are working correctly:

$ mo-box
Invalid arguments!
Usage: box [<options>] -- <command> <arguments>

Options:
-a <level>  Set file access level (0=none, 1=only defined with -p, 2=cwd, 3=/etc,/lib,...,
        4=whole fs, 9=no checks; needs -f)
-c <dir>    Change directory to <dir> first
-e      Inherit full environment of the parent process
-E <var>    Inherit the environment variable <var> from the parent process
-E <var>=<val>  Set the environment variable <var> to <val>; unset it if <var> is empty
-f      Filter system calls (-ff=very restricted)
-F      Allow fork and fork-related calls (children process _won't_ be traced)
-i <file>   Redirect stdin from <file>
-k <size>   Limit stack size to <size> KB (default: 0=unlimited)
-m <size>   Limit address space to <size> KB
-M <file>   Output process information to <file> (name:value)
-o <file>   Redirect stdout to <file>
-p <path>   Permit access to the specified path (or subtree if it ends with a `/')
-p <path>=<act> Define action for the specified path (<act>=yes/no)
-r <file>   Redirect stderr to <file>
-s <sys>    Permit the specified syscall (be careful)
-s <sys>=<act>  Define action for the specified syscall (<act>=yes/no/file)
-t <time>   Set run time limit (seconds, fractions allowed)
-T      Allow syscalls for measuring run time
-v      Be verbose (use multiple times for even more verbosity)
-w <time>   Set wall clock time limit (seconds, fractions allowed)
-x <time>   Set extra timeout, before which a timing-out program is not yet killed,
        so that its real execution time is reported (seconds, fractions allowed)
$ g++
g++: fatal error: no input files
compilation terminated.

However, if I run the command listed in commands.log, I received Unknown syscall 'waitpid'.

@lerks

This comment has been minimized.

Copy link
Member

lerks commented Feb 9, 2014

Ok, that should explain everything: you're running CMS on a 64bit system, aren't you?

Unfortunately CMS v1.0 supports only 32bit systems. There are some way you can workaround that limitation:

  • Upgrade to the development version of CMS (the one that will become v1.1) which features a new sandbox, called isolate, that runs on 64bit machines.
  • Host the worker on a 32bit system that runs inside a virtual machine or a chroot (see here)
  • Patch mo-box to support 64bit architecture. I thought I already had a .patch file lying around but I cannot find it. Have a look here.
@yihangho

This comment has been minimized.

Copy link
Contributor Author

yihangho commented Feb 9, 2014

Oh.... I totally forgot about the 32-bit requirement! Thanks for helping!

@yihangho yihangho closed this Feb 9, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment