Skip to content

chore(pegboard): update oci config for stricter security #2500

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

chore(pegboard): update oci config for stricter security #2500

wants to merge 2 commits into from

Conversation

@NathanFlurry
Copy link
Member

Changes

@NathanFlurry NathanFlurry mentioned this pull request May 30, 2025
Closed
@NathanFlurry Graphite App
Copy link
Member Author

NathanFlurry commented May 30, 2025
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

@NathanFlurry NathanFlurry mentioned this pull request May 30, 2025
Closed
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented May 30, 2025
edited
Loading

Deploying rivet with  Cloudflare Pages  Cloudflare Pages

Latest commit: d4c8eac
Status: ✅  Deploy successful!
Preview URL: https://befd5211.rivet.pages.dev
Branch Preview URL: https://graphite-base-2501.rivet.pages.dev

View logs

@NathanFlurry NathanFlurry marked this pull request as ready for review May 30, 2025 20:03
greptile-apps[bot]
greptile-apps bot reviewed May 30, 2025
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Summary

Enhanced container security through stricter OCI configuration and seccomp policies, while adding a basic health check endpoint.

  • Added /ping endpoint in packages/edge/infra/guard/server/src/routing/api.rs for basic health monitoring
  • Implemented stricter resource limits in oci_config.rs including CPU (10,000 shares max), memory, pids (256), and block I/O (10MB/s)
  • Reduced Linux capabilities to minimum required set (CAP_SETGID, CAP_SETUID, CAP_NET_BIND_SERVICE, CAP_KILL)
  • Removed high-risk syscalls like ptrace, chroot, and capset in seccomp configuration
  • Added comprehensive namespace isolation including user, network, and cgroup namespaces

3 file(s) reviewed, no comment(s)
Edit PR Review Bot Settings | Greptile

This was referenced May 30, 2025
Closed
Closed
This was referenced May 31, 2025
Closed
Closed
Closed
Closed
Closed
@cloudflare-workers-and-pages
Copy link

Deploying rivet-studio with  Cloudflare Pages  Cloudflare Pages

Latest commit: d4c8eac
Status: ✅  Deploy successful!
Preview URL: https://c7bb98f7.rivet-studio.pages.dev
Branch Preview URL: https://graphite-base-2501.rivet-studio.pages.dev

View logs

@cloudflare-workers-and-pages
Copy link

Deploying rivet-hub with  Cloudflare Pages  Cloudflare Pages

Latest commit: d4c8eac
Status: ✅  Deploy successful!
Preview URL: https://8773682a.rivet-hub-7jb.pages.dev
Branch Preview URL: https://graphite-base-2501.rivet-hub-7jb.pages.dev

View logs

@MasterPtato MasterPtato mentioned this pull request May 31, 2025
Closed
This was referenced May 31, 2025
Closed
Closed
@MasterPtato MasterPtato changed the base branch from 04-26-chore_add_standalone_toolchain_build_scripts to graphite-base/2500 June 2, 2025 18:13
@MasterPtato MasterPtato mentioned this pull request Jun 2, 2025
Closed
This was referenced Jun 2, 2025
Closed
Closed
Closed
Closed
@MasterPtato MasterPtato mentioned this pull request Jun 3, 2025
Closed
@NathanFlurry NathanFlurry marked this pull request as draft June 3, 2025 07:01
This was referenced Jun 3, 2025
Closed
Closed
This was referenced Jun 4, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Jun 9, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NathanFlurry