{"id":13879235,"url":"https://github.com/github/hoosegow","last_synced_at":"2025-10-04T07:31:18.982Z","repository":{"id":22240557,"uuid":"25573868","full_name":"github/hoosegow","owner":"github","description":"Ephemeral Docker jails for running untrusted Ruby code","archived":true,"fork":false,"pushed_at":"2020-03-03T20:19:29.000Z","size":241,"stargazers_count":343,"open_issues_count":0,"forks_count":45,"subscribers_count":312,"default_branch":"master","last_synced_at":"2025-01-01T08:47:35.274Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/github.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-10-22T09:44:49.000Z","updated_at":"2024-12-30T22:21:55.000Z","dependencies_parsed_at":"2022-07-15T23:46:08.926Z","dependency_job_id":null,"html_url":"https://github.com/github/hoosegow","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fhoosegow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fhoosegow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fhoosegow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fhoosegow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/github","download_url":"https://codeload.github.com/github/hoosegow/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235227462,"owners_count":18956137,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-06T08:02:14.492Z","updated_at":"2025-10-04T07:31:13.678Z","avatar_url":"https://github.com/github.png","language":"Ruby","funding_links":[],"categories":["Ruby"],"sub_categories":[],"readme":"# Hoosegow\n\nEphemeral Docker jails for running untrusted Ruby code.\n\nHoosegow runs both in your code and in a Docker container. When you call a method on a Hoosegow instance, it proxies the method call to another instance of Hoosegow running inside a Docker container.\n\n# Security\n\nHoosegow is intended to add a layer of security to projects that need to run code that is not fully trusted/audited. Because the untrusted code is running inside a Docker container, an attacker who manages to exploit a vulnerability in the code must also break out of the Docker container before gaining any access to the host system.\n\nThis means that Hoosegow is only as strong as Docker. Docker employs Kernel namespaces, capabilities, and cgroups to contain processes running inside a container. This is not true virtualization though, and a process running as root inside the container *can* compromise the host system. Any privilege escalation bugs in the host Kernel could also be used to become root and compromise the host machine. Further hardening of the base Ubuntu image, along with tools like AppArmor or SE-Linux can improve the security posture of an application relying on Hoosegow/Docker.\n\nThe following are some useful resources regarding the security of Docker:\n\n- The [Docker Security](https://docs.docker.com/articles/security/) article from Docker.io.\n- The [LXC, Docker, Security](http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and-security) slides from Jérôme Petazzoni.\n- The series of Docker security articles from Daniel J. Walsh ([one](http://opensource.com/business/14/7/docker-security-selinux), [two](http://opensource.com/business/14/9/security-for-docker)). \n\n#### Installing\n\nGems are available from the [releases page](https://github.com/github/hoosegow/releases). Download a gem to\nyour app's `vendor/cache` directory, and add this to your Gemfile:\n\n    gem \"hoosegow\"\n\n#### Defining Methods to Proxy\n\nYou need to define the methods you want to have run in the Docker container. To do this, you need to create a `inmate.rb` file that defines a `Hoosegow::Inmate` module. Any methods on this module will be available on `Hoosegow` instances and will be proxied to the Docker container. Here is an example `inmate.rb` file:\n\n```ruby\nclass Hoosegow\n  module Inmate\n    def reverse(input)\n      input.reverse\n    end\n  end\nend\n```\n\nThe `inmate.rb` file should be in its own folder, with an optional `Gemfile` to specify dependencies. This directory will be copied to the Docker container at build time so your methods are available to be proxied to. You specify the location of the directory containing the `inmate.rb` file when instantiating a `Hoosegow` object:\n\n```ruby\nhoosegow = Hoosegow.new :inmate_dir =\u003e File.join(RAILS_ROOT, \"hoosegow_deps\")\nhoosegow.reverse \"foobar\"\n#=\u003e \"raboof\"\n```\n\n#### Building the Docker Image\n\nBefore you can start using Hoosegow, you need to build the Docker image that Hoosegow will proxy method calls to. This can be done in a rake task or bootstrap script:\n\n```ruby\nhoosegow = Hoosegow.new :inmate_dir =\u003e File.join(RAILS_ROOT, \"hoosegow_deps\")\nhoosegow.build_image\nhoosegow.image_name\n#=\u003e \"hoosegow:2f8f155e72828ddab9bd8bd0e355c47fb01a5323\"\n```\n\nThe image will need to be rebuilt with any changes to Hoosegow or the `inmate.rb` file. If the image is built ahead of time (by a rake task or bootstrap script), you can pass the name of the image to use when instantiating a Hoosegow instance:\n\n```ruby\nENV['HOOSEGOW_IMAGE']\n#=\u003e \"hoosegow:2f8f155e72828ddab9bd8bd0e355c47fb01a5323\"\nhoosegow = Hoosegow.new :inmate_dir =\u003e File.join(RAILS_ROOT, \"hoosegow_deps\")\n                        :image_name =\u003e ENV['HOOSEGOW_IMAGE']\n```\n\n#### Configuring the Connection to Docker\n\nBy default Docker's API listens locally on a Unix socket. If you are running Docker with it's default configuration, you don't need to worry about configuring Hoosegow.\n\n**Configure Hoosegow to connect to a non-standard Unix socket.**\n\n```ruby\nHoosegow.new :socket =\u003e '/path/to/socket'\n```\n\n**Configure Hoosegow to connect to a Docker daemon running on another computer.**\n\n```ruby\nHoosegow.new :host =\u003e '192.168.1.192', :port =\u003e 4243\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithub%2Fhoosegow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgithub%2Fhoosegow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithub%2Fhoosegow/lists"}