Process Management

RStudio Package Manager executes R to build packages for Git sources. Use the Server.RVersion setting to specify the R installation. See the section on Building R Packages for details on installing and configuring R.

Since R processes can execute arbitrary code and commands, RStudio Package Manager prefers to run R in a sandbox.

Quick Start

This section walks you through the scenarios you are likely to encounter and helps you quickly decide how to configure RStudio Package Manager for building R packages from Git sources.

No Git Sources

If you are not using Git sources, you do not need to worry about sandboxing.

For Git Sources

If you are using Git sources, then:

Built-in OS Support

If your operating system is configured for user namespace sandboxing, you will see a message like this in /var/log/rstudio-pm.log at startup:

Attempting to detect R version in a user namespace sandbox.
Detected R version <version> at /path/to/R

If you see the above messages, no further action is required.

No built-in OS Support

If your operating system does not support user namespaces, you will see a message like this in /var/log/rstudio-pm.log at startup:

Warning: Unable to use R on this system. Building Git packages will be disabled.

If you see the above message, choose one of the following:

  • If you are using CentOS / RedHat 7-8, enable user name spaces by following the instructions in the Enable User Namespaces section,
  • Change RStudio Package Manager to run as root by following the instructions in the Changing RunAs User section, or
  • Use the configuration setting Git.AllowUnsandboxedGitBuilds = true to run R processes without a sandbox.

If you choose to enable user namespaces on CentOS / RedHat 7-8, you should see this message at startup:

Attempting to detect R version in a user namespace sandbox.
Detected R version <version> at /path/to/R

If you choose to run RStudio Package Manager as root or use the Git.AllowUnsandboxedGitBuilds configuration setting, then you should see this message at startup:

Attempting to detect R version in a call to rsandbox
Detected R version <version> at /path/to/R

Sandboxing

RStudio Package Manager prefers to run R in a sandbox. RStudio Package Manager can run R processes in three different environments:

  1. User Namespace Sandbox - When RStudio Package Manager is running under an unprivileged service account (by default, the rstudio-pm user), it attempts to run R in a user namespace.
  2. Unshare Sandbox - When RStudio Package Manager is running as the root user, it runs R processes as an unprivileged user and uses unshare to create sandboxes for the R processes.
  3. No Sandbox - If neither user namespace or unshare sandboxing is available, you can configure Git.AllowUnsandboxedGitBuilds = true to allow R processes to run without a sandbox. This is insecure, should only be used when you implicitly trust the sources of all R packages that will be built.

The three environments above are described in more detail below.

User Namespace Sandbox (the default)

User namespaces are supported as follows. See the User Namespace Support section for details.

  • Fully Supported on Ubuntu, openSUSE/SLES
  • Supported with System Configuration on CentOS/Red Hat 7-8
  • Unsupported on CentOS/Red Hat 6
  • Varies by Kernel in Docker containers

The RStudio Package Manager process runs as the rstudio-pm user and runs R securely in a new user namespace. When using a user namespace, parts of the file system are hidden from the R process, and certain OS features are isolated in new namespaces. For details on the file system isolation, see the Bind Mounts section.

You can learn more about cloning namespaces here, and you can learn about the Linux user namespace here. Your local man pages will document their behavior specific to your system.

See the Bind Mounts section for information on the bind mounts that are used.

Unshare Sandbox

When the RStudio Package Manager process runs as the root user, R processes are securely invoked as an unprivileged user, rstudio-pm by default.

The "unshare" environment created for R execution involves first establishing a number of bind mounts and then switching to the target unprivileged user. The RStudio Job Launcher uses unshare to alter the execution context available to R processes. Within this newly established environment, a number of mount calls are made in order to hide or isolate parts of the filesystem.

To configure the RStudio Package Manager process to run as root, please see the Changing RunAs User section.

See the Bind Mounts section for information on the bind mounts that are used.

You can learn more about unshare here. The mount call is detailed here. Your local man pages will document their behavior specific to your system.

No Sandbox

If your operating system does not support user namespaces (see the User Namespace Support section) and you cannot run the RStudio Package Manager service as root, then you cannot isolate R processes from the rest of the system. However, you can configure the Git.AllowUnsandboxedGitBuilds = true setting to allow R processes to run without a sandbox. This can be a security risk, and you should only use the Git.AllowUnsandboxedGitBuilds = true setting if you trust the sources of the R packages that will be tracked from Git. The setting does not impact other sources such as CRAN packages.

Bind Mounts

When sandboxing is supported, the following locations are masked during R execution:

  • The Server.DataDir directory containing all variable data used by RStudio Package Manager.
  • The SQLite.Dir directory, which can optionally be placed outside the data directory.
  • The Git.BuilderDir directory, which can optionally be placed outside the data directory
  • Configuration directories, including /etc/rstudio-pm.
  • The Server.SockFileDir, which contains the domain socket used by the rspm CLI to communicate with the RStudio Package Manager service. This directory defaults to /var/run/rstudio-pm.
  • The bin directory (usually /opt/rstudio-pm/bin) that contains the RStudio Package Manager binaries.
  • Any persistent storage directories that are defined outside of the Server.DataDir directory. These locations are configured with FileStorage.Location configuration settings, and are not used by default.
  • The Server.TempDir/rspm-workspaces directory, which contains temporary directories, one per process.

The following information is exposed during R execution:

  • The Git repository source directory when building an R package from a Git source.
  • The R package build destination directory when building an R package for a Git source.
  • A per-process temporary directory specified in the TMPDIR environment variable of the process. This temporary directory is created under Server.TempDir/rspm-workspaces.

Running R processes have write access to the directory containing the unpackaged R code. Data written here will be visible to all processes running under the RStudio Package Manager service account, but are not visible to other R processes started by RStudio Package Manager when these processes run in a sandbox.

Temporary Directory

Each R process started by RStudio Package Manager is given its own unique temporary directory. These directories are created under Server.TempDir/rspm-workspaces.

Server.TempDir's default value is obtained by first checking the TMPDIR environment variable for a path and falls back to /tmp otherwise.

You may wish to override Server.TempDir if the default temporary directory has too little space or is mounted with the noexec option.

Note: If you do override Server.TempDir please ensure the location can be reached by, read from, and written to by any user on the system. On most systems, temporary directories typically have permissions of 1777.

You can learn more about the noexec option here.

User Namespace Support

Ubuntu, openSUSE/SLES

User namespace sandboxing is fully supported by Ubuntu and openSUSE/SLES.

CentOS 6, Red Hat 6

CentOS/Red Hat 6 does not support user namespaces. If you wish to securely run R processes on CentOS/Red Hat 6, consider running RStudio Package Manager as root. See the root sandbox section for details.

CentOS 7-8, Red Hat 7-8

CentOS/Red Hat 7-8 supports user namespaces, but they must be enabled. To see if user namespace support is enabled, run cat /proc/sys/user/max_user_namespaces. If a value greater than 0 (zero) is returned, user namespace support is enabled.

To enable user namespace support permanently on CentOS/Red Hat 7-8, edit /etc/sysctl.d/files.conf with a change similar to the following. This change will be effective when the server is rebooted.

# /etc/sysctl.d/files.conf
user.max_user_namespaces=15000

You can temporarily enable user namespace support by simply echoing a new value to /proc/sys/user/max_user_namespaces. For example:

echo 1000 > /proc/sys/user/max_user_namespaces

Docker

User namespace support is a feature of Linux kernel version 3.8 and greater. If you are running RStudio Package Manager in a Docker environment, user namespace support will depend upon the kernel of the host operating system.

Some of the sandbox operations, like bind mounting, require capabilities that are only available in privileged Docker processes. You must start the container with the --privileged option if you wish to use R process sandboxing in a Docker environment.

If you prefer to run without the --privileged flag, you can do so by setting Git.AllowUnsandboxedGitBuilds = true.

User Account for Processes

The RStudio Package Manager installation creates a local rstudio-pm user account. This account runs all R processes even if you have reconfigured RStudio Package Manager to run as root. If you would like a different user to run R processes, customize the Launcher.ServerUser property. If you reconfigure RStudio Package Manager to run under a different unprivileged account, then R processes will automatically run under that account, as well.