<div dir="ltr"><span style="font-size:small;line-height:20px">Ionel and Holger,</span><div style="font-size:small;line-height:20px"><br></div><div style="font-size:small;line-height:20px">I had considered the --box option, but it only implements process-level isolation which is not enough for my use case as I want to protect also from unrestricted filesystem read/write access. Sorry, I should have mentioned it in the question.</div><div style="font-size:small;line-height:20px"><br></div><div style="font-size:small;line-height:20px">Holger's suggestion instead looks almost good enough as user-level isolation is strong and highly customizable. The only problem is that you need administration access to the machine to create and configure a new user. I'll look into it as I've never used the --tx option.<br></div><div style="font-size:small;line-height:20px"><br></div><div style="font-size:small;line-height:20px">Thanks,</div><div style="font-size:small;line-height:20px">Alessandro</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 11 Feb 2016 at 10:44 holger krekel <<a href="mailto:holger@merlinux.eu">holger@merlinux.eu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, Feb 11, 2016 at 11:39 +0200, Ionel Cristian Mărieș wrote:<br>
> There's the `--boxed` option (from <a href="https://pypi.python.org/pypi/pytest-xdist" rel="noreferrer" target="_blank">https://pypi.python.org/pypi/pytest-xdist</a>)<br>
> but you can easily do your own "insulator" by using fork syscall.<br>
<br>
Also one can use plain "xdist" which provides process-level isolation.<br>
It shouldn't be too hard to also use another unix user via e.g.:<br>
<br>
py.test --tx ssh=OTHERUSER@localhost --dist=each<br>
<br>
but you need to have setup rsyncing, see <a href="https://pypi.python.org/pypi/pytest-xdist" rel="noreferrer" target="_blank">https://pypi.python.org/pypi/pytest-xdist</a><br>
for some more info. The current "remote" test running is a bit limited<br>
and we plan to improve xdist distribution during the upcoming pytest sprint,<br>
see <a href="https://www.indiegogo.com/projects/python-testing-sprint-mid-2016/x/4034848#/" rel="noreferrer" target="_blank">https://www.indiegogo.com/projects/python-testing-sprint-mid-2016/x/4034848#/</a><br>
creating an issue for "user-level separation of running tests" or something<br>
similar and adding a little donation is one way to help it :)<br>
<br>
best,<br>
holger<br>
<br>
<br>
><br>
> Thanks,<br>
> -- Ionel Cristian Mărieș, <a href="http://blog.ionelmc.ro" rel="noreferrer" target="_blank">http://blog.ionelmc.ro</a><br>
><br>
> On Thu, Feb 11, 2016 at 10:33 AM, Alessandro Amici <<a href="mailto:alexamici@gmail.com" target="_blank">alexamici@gmail.com</a>><br>
> wrote:<br>
><br>
> > Hi,<br>
> ><br>
> > I asked the following question on StackOverflow first<br>
> > <a href="http://stackoverflow.com/questions/35322452" rel="noreferrer" target="_blank">http://stackoverflow.com/questions/35322452</a>, but someone quickly (and<br>
> > wrongly in my opinion) marked that as duplicate of the general "sandboxing<br>
> > in python", so I can't get answers there anymore :(<br>
> ><br>
> > Here is the question:<br>
> ><br>
> > I'm interested in executing potentially untrusted tests with pytest in<br>
> > some kind of sandbox, similarly to what continuous integration services do.<br>
> ><br>
> > I understand that to properly sandbox a python process you need OS-level<br>
> > isolation, like running the tests in a disposable chroot/container, but in<br>
> > my use case I don't need to protect against intentionally malicious code,<br>
> > only from dangerous behaviour of pairing "randomly" functions with<br>
> > arguments. So lesser strict sandboxing may still be acceptable. But I<br>
> > didn't find any plugin that enables any form of sandboxing.<br>
> ><br>
> > What is the best way to sandbox tests execution in pytest?<br>
> ><br>
> > **Update**: This question is not about [python sandboxing in general](<br>
> > <a href="http://stackoverflow.com/questions/3068139/how-can-i-sandbox-python-in-pure-python" rel="noreferrer" target="_blank">http://stackoverflow.com/questions/3068139/how-can-i-sandbox-python-in-pure-python</a>)<br>
> > as the tests' code is run by pytest and I can't change the way it is<br>
> > executed to use `exec` or `ast` or whatever. Also using pypy-sandbox is not<br>
> > an option unfortunately as it is "a prototype only" as per the [PyPy<br>
> > feature page](<a href="http://pypy.org/features.html" rel="noreferrer" target="_blank">http://pypy.org/features.html</a>).<br>
> ><br>
> > End of question.<br>
> ><br>
> > For context I'm writing a pytest plugin that lets you search installed<br>
> > modules for functions that pass the given feature-specification tests<br>
> > (still alpha):<br>
> ><br>
> > <a href="https://github.com/alexamici/pytest-wish" rel="noreferrer" target="_blank">https://github.com/alexamici/pytest-wish</a><br>
> ><br>
> > If you find the question useful and not answered already on stackoverflow,<br>
> > the best course of action would be to reopen it and answer there, but I'll<br>
> > take also an answer here :)<br>
> ><br>
> > Alessandro<br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > pytest-dev mailing list<br>
> > <a href="mailto:pytest-dev@python.org" target="_blank">pytest-dev@python.org</a><br>
> > <a href="https://mail.python.org/mailman/listinfo/pytest-dev" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/pytest-dev</a><br>
> ><br>
> ><br>
<br>
> _______________________________________________<br>
> pytest-dev mailing list<br>
> <a href="mailto:pytest-dev@python.org" target="_blank">pytest-dev@python.org</a><br>
> <a href="https://mail.python.org/mailman/listinfo/pytest-dev" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/pytest-dev</a><br>
<br>
<br>
--<br>
about me: <a href="http://holgerkrekel.net/about-me/" rel="noreferrer" target="_blank">http://holgerkrekel.net/about-me/</a><br>
contracting: <a href="http://merlinux.eu" rel="noreferrer" target="_blank">http://merlinux.eu</a><br>
</blockquote></div>