Implementation of pythonLib

The current implementation proposes the following pipeline:

  1. The lab automation process is formulated in a synthax subset of python 3.6 These processes can contain any valid python expressions and data tpyes.

  1. The execution of this script is done in a safe (=sandboxed) environment. This means that, e.g. all access to system calls (like writing to the file system) are prohibited by the sandbox environment.

  1. The script in the sandbox environment communicates with a process manager (=a python script with more execution rights) through controlled and safe channels.

  1. The process manager does the controlled execution of the code.

There are several ways to achieve a python sandbox environment, like, e.g. SECCOMP on Linux or gVisor (A bad idea would be to restrict the OS acces of the CPython libraries, as discussed here …)

A very elegant and relativly safe approach is using pypy-sandbox (in its 2nd version), since the risks of attacs is substantially reduced as explained in: Title .

Currently pypy-sandbox-2 installation is not straight forward. (This might change, when pypy-sandbox documentation will be more complete and compiled packages will be made available ). For a comprehensive guide, please refer to 1_installation_impl_ .