The hardware and bandwidth for this mirror is donated by METANET, the Webhosting and Full Service-Cloud Provider.
If you wish to report a bug, or if you are interested in having us mirror your free-software or open-source project, please feel free to contact us at mirror[@]metanet.ch.
This vignette shows how to set up “sandboxed” parallel workers with limited access to the host system.
This example sets up two parallel workers on Linux sandboxed using Bubblewrap.
library(parallelly)
bwrap_sandbox <- function(rscript = "*") {
ro_binds <- function(dirs) {
dirs <- unique(dirs[file_test("-d", dirs)])
opts <- rep(dirs, each = 3L)
opts[seq(from = 1, to = length(opts), by = 3)] <- "--ro-bind"
opts
}
ro_rlibs_remap <- function(dirs = rev(rev(.libPaths())[-1])) {
dirs <- unique(dirs[file_test("-d", dirs)])
dirs2 <- sub(sprintf("^%s", Sys.getenv("HOME")), "/home/sandbox-user", dirs)
opts <- rep(dirs, each = 3L)
opts[seq(from = 1, to = length(opts), by = 3)] <- "--ro-bind"
opts[seq(from = 3, to = length(opts), by = 3)] <- dirs2
opts
}
args <- c("bwrap")
## Unshares
## Note, we cannot sandbox the network (--unshare-net), because
## PSOCK clusters communicate over socket connections
unshares <- c(
"--unshare-user", # isolate user and group ids
"--unshare-pid", # isolate processes
"--proc", "/proc",
"--unshare-ipc" # isolate process communication, e.g. shared memory
)
args <- c(args, unshares)
## Misc options
opts <- c(
"--dev", "/dev", # mount host's /dev
"--tmpfs", "/tmp" # mount fresh, private, empty temporary directory
)
args <- c(args, opts)
## Read-only Linux mounts
dirs <- c("/usr", "/bin", "/usr/bin", "/lib", "/lib64", "/etc/alternatives")
## Use host's R and Rscript (by read-only mounting R home folders)
components <- c("bin", "lib", "doc", "etc", "include", "modules", "share")
r_dirs <- unname(vapply(components, FUN = R.home, FUN.VALUE = NA_character_))
r_dirs <- c(r_dirs, dirname(Sys.which("R")), dirname(Sys.which("Rscript")))
r_dirs <- c(r_dirs, rev(.libPaths())[1])
dirs <- c(dirs, r_dirs)
args <- c(args, ro_binds(dirs))
## Remap HOME to fresh, private sandboxed HOME
tmp_home <- tempfile(pattern = "sandbox-home-")
dir.create(tmp_home)
opts <- c(
"--bind", tmp_home, "/home/sandbox-user",
"--setenv", "HOME", "/home/sandbox-user",
"--chdir", "/home/sandbox-user"
)
args <- c(args, opts)
## Read-only remapped non-system R library paths
args <- c(args, ro_rlibs_remap())
c(args, rscript)
} ## bwrap_sandbox()
## Launch two parallel workers inside a Bubblewrap sandbox
cl <- makeClusterPSOCK(2L, rscript = bwrap_sandbox("*"))
print(cl)
#> Socket cluster with 2 nodes on host 'localhost' (R version 4.5.1
#> (2025-06-13), platform x86_64-pc-linux-gnu)
host_user <- Sys.info()[["user"]]
host_user
#> "alice"
worker_user <- unlist(parallel::clusterEvalQ(cl, Sys.info()[["user"]]))
worker_user
#> [1] "unknown" "unknown"
These binaries (installable software) and packages are in development.
They may not be fully stable and should be used with caution. We make no claims about them.