Docker Containerization for TERR Scripts
Spotfire® Enterprise Runtime for R (a/k/a TERR™) scripts running in a container but not using restricted execution mode have full access to the Docker container and have permission to do anything that is possible to do from within the container. The level of isolation a container provides depends on the Docker installation and the privileges given to these containers.
Configuration | Description |
---|---|
TERR service host isolation | Scripts are prohibited from accessing the file system of the host computer running the service. |
User isolation | The use of engine containers ensures that the same execution environment is not re-used for multiple data functions initiated by different users. |
Network isolation | Depending on configuration, the Spotfire
Enterprise Runtime for R scripts can access external network and other Docker
containers that are available from within a container. In many cases, a default
installation with engine containers lets scripts access the external network,
including the internet, and to access other Docker containers. To restrict
access to the network, the Docker containers must be configured to restrict
network access. The container options should not be used without
terr.restricted.execution.mode=true or
additional network configuration, if network isolation is needed.
|
Parent topic: Script Security & Restricted Execution Modes