Runtime-Container has several Dockerfiles used to build container images for each supported languages. For now, GCC and Python are available.
When building an image, it installs Runtime-Agent code from Github and sets a command to run the FastAPI server.
It allows users on web IDE to execute code at the container remotely through SSH relay. Therefore, SSH daemon runs to allow connections from localhost.
- Download Runtime-Agent from Github in an intermediate image.
- Use one of the official images that has an environment for executing code.
- Make directories for runtime-agent server and user's code.
- Copy runtime-agent from the intermediate image and install packages.
- Run SSH daemon and runtime-agent server.
Runtime-Container should install Runtime-Agent to handle requests from outside, to be monitored by Runtime-Bridge, and so on. Because previously that repository was private, Github credentials are required to download it at the build stage. But it makes project vulnerable to use secrets in a normal build stage.
By referring build-docker-image-clone-private-repo-ssh-key, it was implemented to use multi-stage builds to hide secrets.
Currently, the containers are deployed in a public subnet, which means users can access the container directly with its public IP address and port number. Much to my regret, it was a huge mistake and must make vulnerabilities. But when I noticed it, there was no time left to fix it. If I had had much time, I would have implemented in this way.
- Generate a new SSH key that has a read permission, and add it to Github. See more details from here and here.
- Copy the private SSH key to the root directory of this project.
$ cp /path/to/private/key ./toco
- Create AWS ECR, and modify
push.shusing the commands provided on the ECR page. - Create ECS TaskDefinition and Fargate Cluster.
- Configure AWS credentials to deploy the built images to AWS ECR. See this document to configure.
- Run deployment script in the directory of the language you want to deploy.
$ . push.sh