Shellbox/cs



Shellbox je knihovna pro provádění příkazů a také server a klient pro vzdálené provádění příkazů. Primárně byl implementován do sandboxu LilyPond (používaný Score extension) a poskytuje způsob, jak MediaWiki může využívat externí binární soubory, aniž by je bylo nutné spouštět ve stejném kontejneru. It was designed and approved via RFC: PHP microservice for containerized shell execution. Shellbox is usable starting with.

Information about using Shellbox in MediaWiki is available at.

Server setup
It is recommended that you set up Shellbox to run as an unprivileged user inside an isolated container with no external network access. Wikimedia uses Kubernetes for this purpose and has a Helm chart that may be reusable.

The following packages should be installed inside the container: Apache2, PHP-FPM, and whatever commands you need to shell out to (e.g. ,  , etc.).

In the following examples we use  as the container internal hostname.


 * Get the Shellbox source and its dependencies:
 * Create an unprivileged user for Shellbox:
 * Create a temporary work directory for Shellbox:
 * Create the Shellbox configuration file referencing that temporary work directory :
 * Generate a secret key; it is strongly recommended to use a 128-bit minimal strength, so here we use 16 random bytes formatted into an hexadecimal string:
 * Create the Apache configuration, and paste the secret key inside :
 * Protect the Apache configuration file against unprivileged reads of the secret key and unprivileged modifications, by any other system user or group than those configured to run Apache itself on the server:
 * Create the PHP-FPM pool configuration. When configured in this way, Shellbox does not have permission to connect to the PHP-FPM socket:

Pre-built containers
Wikimedia has pre-built containers that contain Shellbox, its dependencies, and PHP-FPM:


 * Wikimedia Docker registry for Shellbox containers

These images currently have no stability guarantee/versioning (help wanted on figuring this out).

Routes
Shellbox exposes a  route for manual and automated health checks. It also has a PHP-RPC interface for executing sandboxed PHP code.