Configure code-executor security and privileges

Learn how to disable the default security configuration for code-executor or run in unprivileged mode.

The code-executor service uses a default security configuration. It also runs in a privileged mode that runs workflow code in a sandboxed environment.

Disable default security configuration

If necessary, you can explicitly disable the default security configuration for a link-local address. This is useful if privileged access (e,g, NET_ADMIN) cannot be given to the code-executor service container.

First, run the following startup commands with elevated privileges:

iptables-legacy -A OUTPUT -d 169.254.0.0/16 -m owner --uid-owner retool_user -j DROP

iptables-legacy -A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner retool_user -j DROP

Next, set the DISABLE_IPTABLES_SECURITY_CONFIGURATION environment variable to true.

DISABLE_IPTABLES_SECURITY_CONFIGURATION=true

Run code-executor in unprivileged mode

User code sandboxing is required to execute custom JavaScript and Python libraries.

The Code executor service uses nsjail to sandbox code execution. nsjail requires privileged container access. If your deployment framework does not support privileged access, (e.g., ECS Fargate, you can set the CONTAINER_UNPRIVILEGED_MODE environment variable to true.

CONTAINER_UNPRIVILEGED_MODE=true

This environment variable is also used to disable default security configs for link-local address to prevent EC2 metadata leaks. You must also run the startup commands to disable the default security configuration.