Code executor environment variables

Code executor environment variables available for use with Self-hosted Retool deployments. You should only set these environment variables on containers running tryretool/code-executor-service images.

`NODE_ENV`

Should always be set to production.

NODE_ENV=production

`NODE_OPTIONS`

Used to specify the maximum heap size for the JavaScript v8 engine. Set to --max_old_space_size=1024.

NODE_OPTIONS="--max_old_space_size=1024"

`SANDBOX_MOUNT_DIR`

Used to configure where files will be mounted into the sandbox. Defaults to /tmp.

SANDBOX_MOUNT_DIR="/tmp"

`SANDBOX_MAX_FILE_DESCRIPTORS`

Used to configure the amount of file descriptors within a single sandbox. Defaults to 256.

SANDBOX_MAX_FILE_DESCRIPTORS=256

`DISABLE_IPTABLES_SECURITY_CONFIGURATION`

Available on self-hosted Retool versions 3.33.30 and later.

Used to explicitly disable default security configs for link-local address, which is done by running the following startup commands requiring elevated privileges:

iptables-legacy -A OUTPUT -d 169.254.0.0/16 -m owner --uid-owner retool_user -j DROP
iptables-legacy -A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner retool_user -j DROP

Set to true if privileged access (e.g NET_ADMIN) cannot be given to the container running Code executor service. Defaults to false.

DISABLE_IPTABLES_SECURITY_CONFIGURATION=false

`CONTAINER_UNPRIVILEGED_MODE`

Available on self-hosted Retool versions 3.33.30+ and later.

Used to run the code executor service in an unprivileged mode, and removes any sandboxing of user code. Defaults to false.

The Code executor service uses nsjail to sandbox code execution. nsjail requires privileged container access. If your deployment framework does not support privileged access, e.g. in a ECS Fargate deployment, set CONTAINER_UNPRIVILEGED_MODE to true. Note: without sandboxing, use of custom JS libraries and custom Python libraries is not allowed.

This environment variable is also used to disable default security configs for link-local address to prevent EC2 metadata leaks, which is done by running the following startup commands that require elevated privileges:

iptables-legacy -A OUTPUT -d 169.254.0.0/16 -m owner --uid-owner retool_user -j DROP
iptables-legacy -A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner retool_user -j DROP

`WORKFLOW_MONITOR_PROCESS_ENABLED`

Used to limit the memory and CPUs available to a workflow while running. If enabled, WORKFLOW_MEMORY_LIMIT_MBS and WORKFLOW_CPU_LIMIT can be set. Defaults to false.

WORKFLOW_MONITOR_PROCESS_ENABLED=false

`WORKFLOW_MEMORY_LIMIT_MBS`

If WORKFLOW_MONITOR_PROCESS_ENABLED is set to true, this variable governs the memory available to a workflow while running. Defaults to 2147 (2 GB).

WORKFLOW_MEMORY_LIMIT_MBS=2147

`WORKFLOW_CPU_LIMIT`

If WORKFLOW_MONITOR_PROCESS_ENABLED is set to true, this variable governs the CPUs available to a workflow while running. Defaults to 1.

WORKFLOW_CPU_LIMIT=1

NODE_ENV​

NODE_OPTIONS​

SANDBOX_MOUNT_DIR​

SANDBOX_MAX_FILE_DESCRIPTORS​

DISABLE_IPTABLES_SECURITY_CONFIGURATION​

CONTAINER_UNPRIVILEGED_MODE​

WORKFLOW_MONITOR_PROCESS_ENABLED​

WORKFLOW_MEMORY_LIMIT_MBS​

WORKFLOW_CPU_LIMIT​