Nothing
vignettes/parallelly-25-sandbox-workers.md
In parallelly: Enhancing the 'parallel' Package
Introduction
This vignette shows how to set up "sandboxed" parallel workers with
limited access to the host system.
Examples
Example: Bubblewrap on Linux
This example sets up two parallel workers on Linux sandboxed using
Bubblewrap.
library(parallelly)
bwrap_sandbox <- function(rscript = "*") {
ro_binds <- function(dirs) {
dirs <- unique(dirs[file_test("-d", dirs)])
opts <- rep(dirs, each = 3L)
opts[seq(from = 1, to = length(opts), by = 3)] <- "--ro-bind"
opts
}
ro_rlibs_remap <- function(dirs = rev(rev(.libPaths())[-1])) {
dirs <- unique(dirs[file_test("-d", dirs)])
dirs2 <- sub(sprintf("^%s", Sys.getenv("HOME")), "/home/sandbox-user", dirs)
opts <- rep(dirs, each = 3L)
opts[seq(from = 1, to = length(opts), by = 3)] <- "--ro-bind"
opts[seq(from = 3, to = length(opts), by = 3)] <- dirs2
opts
}
args <- c("bwrap")
## Unshares
## Note, we cannot sandbox the network (--unshare-net), because
## PSOCK clusters communicate over socket connections
unshares <- c(
"--unshare-user", # isolate user and group ids
"--unshare-pid", # isolate processes
"--proc", "/proc",
"--unshare-ipc" # isolate process communication, e.g. shared memory
)
args <- c(args, unshares)
## Misc options
opts <- c(
"--dev", "/dev", # mount host's /dev
"--tmpfs", "/tmp" # mount fresh, private, empty temporary directory
)
args <- c(args, opts)
## Read-only Linux mounts
dirs <- c("/usr", "/bin", "/usr/bin", "/lib", "/lib64", "/etc/alternatives")
## Use host's R and Rscript (by read-only mounting R home folders)
components <- c("bin", "lib", "doc", "etc", "include", "modules", "share")
r_dirs <- unname(vapply(components, FUN = R.home, FUN.VALUE = NA_character_))
r_dirs <- c(r_dirs, dirname(Sys.which("R")), dirname(Sys.which("Rscript")))
r_dirs <- c(r_dirs, rev(.libPaths())[1])
dirs <- c(dirs, r_dirs)
args <- c(args, ro_binds(dirs))
## Remap HOME to fresh, private sandboxed HOME
tmp_home <- tempfile(pattern = "sandbox-home-")
dir.create(tmp_home)
opts <- c(
"--bind", tmp_home, "/home/sandbox-user",
"--setenv", "HOME", "/home/sandbox-user",
"--chdir", "/home/sandbox-user"
)
args <- c(args, opts)
## Read-only remapped non-system R library paths
args <- c(args, ro_rlibs_remap())
c(args, rscript)
} ## bwrap_sandbox()
## Launch two parallel workers inside a Bubblewrap sandbox
cl <- makeClusterPSOCK(2L, rscript = bwrap_sandbox("*"))
print(cl)
#> Socket cluster with 2 nodes on host 'localhost' (R version 4.5.1
#> (2025-06-13), platform x86_64-pc-linux-gnu)
host_user <- Sys.info()[["user"]]
host_user
#> "alice"
worker_user <- unlist(parallel::clusterEvalQ(cl, Sys.info()[["user"]]))
worker_user
#> [1] "unknown" "unknown"
Try the parallelly package in your browser
Any scripts or data that you put into this service are public.
parallelly documentation built on Dec. 18, 2025, 5:08 p.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Introduction
This vignette shows how to set up "sandboxed" parallel workers with limited access to the host system.
Examples
Example: Bubblewrap on Linux
This example sets up two parallel workers on Linux sandboxed using Bubblewrap.
library(parallelly)
bwrap_sandbox <- function(rscript = "*") {
ro_binds <- function(dirs) {
dirs <- unique(dirs[file_test("-d", dirs)])
opts <- rep(dirs, each = 3L)
opts[seq(from = 1, to = length(opts), by = 3)] <- "--ro-bind"
opts
}
ro_rlibs_remap <- function(dirs = rev(rev(.libPaths())[-1])) {
dirs <- unique(dirs[file_test("-d", dirs)])
dirs2 <- sub(sprintf("^%s", Sys.getenv("HOME")), "/home/sandbox-user", dirs)
opts <- rep(dirs, each = 3L)
opts[seq(from = 1, to = length(opts), by = 3)] <- "--ro-bind"
opts[seq(from = 3, to = length(opts), by = 3)] <- dirs2
opts
}
args <- c("bwrap")
## Unshares
## Note, we cannot sandbox the network (--unshare-net), because
## PSOCK clusters communicate over socket connections
unshares <- c(
"--unshare-user", # isolate user and group ids
"--unshare-pid", # isolate processes
"--proc", "/proc",
"--unshare-ipc" # isolate process communication, e.g. shared memory
)
args <- c(args, unshares)
## Misc options
opts <- c(
"--dev", "/dev", # mount host's /dev
"--tmpfs", "/tmp" # mount fresh, private, empty temporary directory
)
args <- c(args, opts)
## Read-only Linux mounts
dirs <- c("/usr", "/bin", "/usr/bin", "/lib", "/lib64", "/etc/alternatives")
## Use host's R and Rscript (by read-only mounting R home folders)
components <- c("bin", "lib", "doc", "etc", "include", "modules", "share")
r_dirs <- unname(vapply(components, FUN = R.home, FUN.VALUE = NA_character_))
r_dirs <- c(r_dirs, dirname(Sys.which("R")), dirname(Sys.which("Rscript")))
r_dirs <- c(r_dirs, rev(.libPaths())[1])
dirs <- c(dirs, r_dirs)
args <- c(args, ro_binds(dirs))
## Remap HOME to fresh, private sandboxed HOME
tmp_home <- tempfile(pattern = "sandbox-home-")
dir.create(tmp_home)
opts <- c(
"--bind", tmp_home, "/home/sandbox-user",
"--setenv", "HOME", "/home/sandbox-user",
"--chdir", "/home/sandbox-user"
)
args <- c(args, opts)
## Read-only remapped non-system R library paths
args <- c(args, ro_rlibs_remap())
c(args, rscript)
} ## bwrap_sandbox()
## Launch two parallel workers inside a Bubblewrap sandbox
cl <- makeClusterPSOCK(2L, rscript = bwrap_sandbox("*"))
print(cl)
#> Socket cluster with 2 nodes on host 'localhost' (R version 4.5.1
#> (2025-06-13), platform x86_64-pc-linux-gnu)
host_user <- Sys.info()[["user"]]
host_user
#> "alice"
worker_user <- unlist(parallel::clusterEvalQ(cl, Sys.info()[["user"]]))
worker_user
#> [1] "unknown" "unknown"
Try the parallelly package in your browser
Any scripts or data that you put into this service are public.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.