Resolve "increase isolation of job containers" (!123) · Merge requests · allgo / allgo

This PR increases the isolation of the job containers:

disable network access
run the job as an arbitrary ordinary user, rather that root (note that is is still possible to become root with setuid executables, until #271 is implemented)
remove all kernel capabilities
change the workdir to /work (rather that /tmp), the rationale is that since we no longer run the container as root, it is not possible to create arbitrary dirs for storing temporary data (/tmp is actually the most straightforward choice for storing tmp data)

Edited Sep 18, 2018 by BAIRE Anthony

Resolve "increase isolation of job containers"