4756348c48
Add security hardening features for worker execution: - Worker config with sandboxing options (network_mode, read_only, secrets) - Execution setup with security context propagation - Podman container runtime security enhancements - Security configuration management in config package - Add homelab-sandbox.yaml example configuration Supports running jobs in isolated, restricted environments.
53 lines
1.3 KiB
YAML
53 lines
1.3 KiB
YAML
# Worker configuration with sandboxing enabled
|
|
# This configuration provides strict isolation for sensitive workloads
|
|
|
|
host: "127.0.0.1"
|
|
user: "worker"
|
|
base_path: "/var/lib/fetchml/experiments"
|
|
max_workers: 4
|
|
|
|
# Sandboxing configuration
|
|
sandbox:
|
|
# Network isolation: "none" (no network), "slirp4netns" (user-mode networking),
|
|
# "bridge" (bridge networking), or "" (default)
|
|
network_mode: "none"
|
|
|
|
# Mount root filesystem as read-only
|
|
read_only_root: true
|
|
|
|
# Enable secret injection for API keys
|
|
allow_secrets: true
|
|
|
|
# Allowed secrets (explicit allowlist for security)
|
|
allowed_secrets:
|
|
- HF_TOKEN # Hugging Face API token
|
|
- WANDB_API_KEY # Weights & Biases API key
|
|
- OPENAI_API_KEY # OpenAI API key
|
|
- ANTHROPIC_API_KEY # Anthropic API key
|
|
- AWS_ACCESS_KEY_ID # AWS credentials
|
|
- AWS_SECRET_ACCESS_KEY
|
|
|
|
# Seccomp profile for syscall filtering
|
|
seccomp_profile: "ml-research.json"
|
|
|
|
# Maximum runtime before automatic termination (hours)
|
|
max_runtime_hours: 48
|
|
|
|
# Resource limits
|
|
resources:
|
|
max_memory_gb: 64
|
|
max_cpu_cores: 16
|
|
max_gpu_devices: 4
|
|
|
|
# Podman configuration
|
|
podman_image: "fetchml-ml:latest"
|
|
gpu_vendor: "nvidia"
|
|
|
|
# Queue backend
|
|
queue:
|
|
backend: "redis"
|
|
redis_url: "redis://localhost:6379/0"
|
|
|
|
# Snapshot store (optional)
|
|
snapshot_store:
|
|
enabled: false
|