Skip to main content

Configure code-executor security and privileges

Learn how to disable the default security configuration for code-executor or run in unprivileged mode.

Retool strongly recommends running the code-executor container in priviledged modes so that custom code executes in a sandboxed environment. You should only use unprivileged mode if it is not possible for your deployment to use privileged mode.

The code-executor service uses a default security configuration. It also runs in a privileged mode that runs workflow code in a sandboxed environment.

Disable default security configuration

If necessary, you can explicitly disable the default security configuration for a link-local address. This is useful if privileged access (e,g, NET_ADMIN) cannot be given to the code-executor service container.

First, run the following startup commands with elevated privileges:

iptables-legacy -A OUTPUT -d 169.254.0.0/16 -m owner --uid-owner retool_user -j DROP
iptables-legacy -A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner retool_user -j DROP

Next, set the DISABLE_IPTABLES_SECURITY_CONFIGURATION environment variable to true.

DISABLE_IPTABLES_SECURITY_CONFIGURATION=true

Run code-executor in unprivileged mode

The Code executor service uses NsJail to sandbox code execution. NsJail requires privileged container access. If your deployment framework does not support privileged access, (e.g., ECS Fargate, you can set the CONTAINER_UNPRIVILEGED_MODE environment variable to true. While you can run without NsJail, we recommend using privileged mode with NsJail enabled whenever possible, as it provides sandboxing and stronger security.

To run in unprivileged mode:

  1. Set the CONTAINER_UNPRIVILEGED_MODE environment variable to true on your code-executor container.
  2. Set the container user to run as retool_user. You can do this in Docker via the USER instruction, or in Kubernetes via a security context.
  3. Ensure the container or pod does not run with privileged capabilities.

The following example runs code-executor in unprivileged mode using Docker Compose:

  code-executor:
    user: retool_user
    build:
     ...
    environment:
      - NODE_ENV=production
      - NODE_OPTIONS=--max_old_space_size=1024
      - CONTAINER_UNPRIVILEGED_MODE=true
      ...
    privileged: false
    ...

The CONTAINER_UNPRIVILEGED_MODE environment variable is also used to disable default configurations for link-local addresses to prevent Amazon EC2 metadata leaks. You must also run the startup commands to disable the default security configuration.