Code executor environment variables
Code executor environment variables available for use with Self-hosted Retool deployments. You should only set these environment variables on containers running tryretool/code-executor-service
images.
NODE_ENV
Should always be set to production
.
NODE_ENV=production
NODE_OPTIONS
Used to specify the maximum heap size for the JavaScript v8 engine. Set to --max_old_space_size=1024
.
NODE_OPTIONS="--max_old_space_size=1024"
SANDBOX_MOUNT_DIR
Used to configure where files will be mounted into the sandbox. Defaults to /tmp
.
SANDBOX_MOUNT_DIR="/tmp"
SANDBOX_MAX_FILE_DESCRIPTORS
Used to configure the amount of file descriptors within a single sandbox. Defaults to 256
.
SANDBOX_MAX_FILE_DESCRIPTORS=256
DISABLE_IPTABLES_SECURITY_CONFIGURATION
Available on self-hosted Retool versions 3.33.30 and later.
Used to explicitly disable default security configs for link-local address, which is done by running the following startup commands requiring elevated privileges:
iptables-legacy -A OUTPUT -d 169.254.0.0/16 -m owner --uid-owner retool_user -j DROP
iptables-legacy -A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner retool_user -j DROP
Set to true
if privileged access (e.g NET_ADMIN) cannot be given to the container running Code executor service. Defaults to false
.
DISABLE_IPTABLES_SECURITY_CONFIGURATION=false
CONTAINER_UNPRIVILEGED_MODE
Available on self-hosted Retool versions 3.33.30+ and later.
Used to run the code executor service in an unprivileged mode, and removes any sandboxing of user code. Defaults to false
.
The Code executor service uses nsjail to sandbox code execution. nsjail requires privileged container access. If your deployment framework does not support privileged access, e.g. in a ECS Fargate deployment, set CONTAINER_UNPRIVILEGED_MODE
to true
. Note: without sandboxing, use of custom JS libraries and custom Python libraries is not allowed.
This environment variable is also used to disable default security configs for link-local address to prevent EC2 metadata leaks, which is done by running the following startup commands that require elevated privileges:
iptables-legacy -A OUTPUT -d 169.254.0.0/16 -m owner --uid-owner retool_user -j DROP
iptables-legacy -A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner retool_user -j DROP
WORKFLOW_MONITOR_PROCESS_ENABLED
Used to limit the memory and CPUs available to a workflow while running. If enabled, WORKFLOW_MEMORY_LIMIT_MBS
and WORKFLOW_CPU_LIMIT
can be set. Defaults to false
.
WORKFLOW_MONITOR_PROCESS_ENABLED=false
WORKFLOW_MEMORY_LIMIT_MBS
If WORKFLOW_MONITOR_PROCESS_ENABLED
is set to true, this variable governs the memory available to a workflow while running. Defaults to 2147
(2 GB).
WORKFLOW_MEMORY_LIMIT_MBS=2147
WORKFLOW_CPU_LIMIT
If WORKFLOW_MONITOR_PROCESS_ENABLED
is set to true, this variable governs the CPUs available to a workflow while running. Defaults to 1
.
WORKFLOW_CPU_LIMIT=1