Playround
Playground is an application distributed with CTFd Enterprise.
Playground is responsible for:
- Securely processing arbitrary code submitted by users and returning the output of that code
- Securely sending webhooks to their intended recipients
Playground does this by executing all arbitrary code in isolated, time-restricted containers.
Playground generally relies on security of Docker containers (i.e. seccomp). While this isn't bulletproof, it suffices for most applications and is the basis of many similar sandboxing technologies (e.g. nsjail, firejail).
In general, while playground is secure, playground should still be treated as a compromised server and should not have significant access to any other resources.
Installation
1. Install Docker
CTFd-Enterprise is deployed using Docker. While this installer provides a Docker-Compose based setup flow, you are free to use any flow that deploys CTFd-Enterprise using it's Docker image.
The install instructions for Docker can be found online at https://docs.docker.com/install/linux/docker-ce/ubuntu/
2. Login to Docker Registry & Install License Key
Follow the general CTFd Enterprise instructions for logging into the registry.ctfd.io Docker Registry as well as install your License key.
3. Configure playground
Docker Socket
Playground must be able to interact with Docker and as such requires access to the docker socket. Ensure that /var/run/docker.sock is mounted in the playground Docker container.
Runner Volume
Ensure that your docker-compose specifies a runner volume similar to the following:
volumes:
runner:
name: runner
Then ensure that playground receives an environment variable with the name of this volume.
WORKING_RUNNER_VOLUME=runner
Temporary Directory
Create an empty folder which playground will use as scratch space to store input and output. This directory should be specified as an environment variable as well as mounted in the playground container.
For example:
environment:
- WORKING_TEMPDIR=${PWD}/workspace
volumes:
- ./workspace:/tmp
3. Run playground
If you are using the provided docker-compose.yml file you should be able to run docker-compose up and the playground image should automatically be pulled and run. By default, playground runs on port 8000 however this can be changed as needed.
4. Update CTFd PLAYGROUND_URL
Once playground is running, update the PLAYGROUND_URL config in CTFd's config.ini to point to your deployed server. (e.g. PLAYGROUND_URL=http://playground:8000)
Debug
By browsing to /debug you can access a simple debug interface which will allow you to test whether playground is functioning properly by providing some testing code.
Recommendations
We recommend running playground on its own server in isolation. Users can run sandboxed code through playground and this needs to be kept in mind whenever dealing with playground. It is possible that a user could escape the playground sandbox and the overall server should not be able to interact with anything sensitive.
We also recommend providing playground a good amount of resources relative to the amount of users you expect. Since users can run arbitrary code, some users may send malicious inputs that attempt to crash the server. Playground is resistant to this kind of spam but should still have enough resources for good users to still execute their payloads.
We recommend that the minimum is 4GB of RAM and a dual core CPU.