Support running executables in Docker containers (namely PlantUML)

[mfhepp]

Hi,
the diversity of the executables used make it quite a security concern, as they all have full-disk and network access.

Now, an effective mitigation would be to put the executables like PlantUML into a Docker container with limited privileges and run it from there, as e.g. PlantUML should not need anything beyond read access to the working directory and write access to the plots output directory.

I will be happy to work on a Dockerfile for PlantUML, but before doing so, I need to know how pandoc-plot invokes PlantUML and others.

• Do you send the figure source code via stdout/stdin to the process?
• Or do you create a temporary file of the image source?
• If so, do you pass an absolute path, or a relative path for the source and the target locations?

This will be important to configure the Dockerfile so that it has access to the input and sufficient rights to create the output.

If you could post an example of how the entire command line for a figure would look like for PlantUML, that would be good.

Like so:

java -jar plantuml.jar plot323232.source -o plots/plot323232.png

Relative paths would be best. stdout/stdin would be ideal.

Then, an updated version of this Dockerfile would do the trick:

• https://hub.docker.com/r/think/plantuml/dockerfile
• https://hub.docker.com/r/think/plantuml

[mfhepp]

Cross-referencing #51

[LaurentRDC]

See my answer in #51 as to what command is run.

As described there, I've been thinking about making the command that pandoc-plot run completely customizable by the users. For example, the configuration might look like:

plantuml:
    command: $exe -jar plantuml.jar -t$png -output $outfile $infile

and the user could change it to whatever they want. Someone else will have to do this as I don't have time these days

[mgajda]

@mfhepp If you have a command line that runs it within Docker container, it would perhaps be useful to add to documentation?