sandboxed-compiles.md

Sandboxed Compiles

In Server Pro, it is possible to have each LaTeX project be compiled in a separate docker container, achieving sandbox isolation between projects.

How It Works

When sandboxed compiles are enabled, the toolkit will mount the docker socket from the host into the overleaf container, so that the compiler service in the container can create new docker containers on the host. Then for each run of the compiler in each project, the LaTeX compiler service (CLSI) will do the following:

• Write out the project files to a location inside the SHARELATEX_DATA_PATH,
• Use the mounted docker socket to create a new texlive container for the compile run
• Have the texlive container read the project data from the location under SHARELATEX_DATA_PATH
• Compile the project inside the texlive container

Enabling Sibling Containers

In config/overleaf.rc, set SIBLING_CONTAINERS_ENABLED=true, and ensure that the DOCKER_SOCKET_PATH setting is set to the location of the docker socket on the host.

The next time you start the docker services (with bin/up), the overleaf container will verify that it can communicate with docker on the host machine, and will pull the texlive image it requires to create the sandboxed compile containers. This process can take several minutes, and compiles will be un-available during this time.