Configuration

Faber can be configured through multiple methods with a hierarchical precedence system. Configuration sources are loaded in the following order (later sources override earlier ones):

Default configuration (built-in)
Configuration file
Environment variables
Command-line arguments

Configuration File

The default configuration file is config/config.yaml. You can specify a different file using the --config flag.

Example Configuration

server:
  host: '127.0.0.1'
  port: 8080
  enable_swagger: true
  graceful_shutdown: true

auth:
  api_key: 'your-secret-key-here'
  open_mode: false
  required: true

security:
  default_security_level: 'medium'
  seccomp:
    enabled: true
    level: 'medium'
  capabilities:
    drop_all: true
    allowed: []

resource_limits:
  default:
    memory_limit: 536870912 # 512MB
    cpu_time_limit: 30000000000 # 30 seconds
    wall_time_limit: 60000000000 # 60 seconds
    max_processes: 10
    max_file_descriptors: 100
    max_output_size: 1048576 # 1MB

logging:
  level: 'info'
  format: 'json'
  file: null
  debug: false

sandbox:
  namespaces:
    pid: true
    mount: true
    network: true
    ipc: true
    uts: true
    user: true
    time: true
    cgroup: true

  filesystem:
    read_only: true
    tmpfs_size: 104857600 # 100MB
    allowed_paths: []
    blocked_paths: ['/proc', '/sys', '/dev']

Environment Variables

All configuration options can be set via environment variables with the FABER_ prefix:

# Server configuration
export FABER_SERVER_HOST=0.0.0.0
export FABER_SERVER_PORT=9000
export FABER_SERVER_ENABLE_SWAGGER=true

# Authentication
export FABER_AUTH_API_KEY=your-secret-key
export FABER_AUTH_OPEN_MODE=false

# Security
export FABER_SECURITY_DEFAULT_SECURITY_LEVEL=high
export FABER_SECURITY_SECCOMP_ENABLED=true

# Resource limits
export FABER_RESOURCE_LIMITS_DEFAULT_MEMORY_LIMIT=1073741824  # 1GB
export FABER_RESOURCE_LIMITS_DEFAULT_CPU_TIME_LIMIT=60000000000  # 60 seconds

# Logging
export FABER_LOGGING_LEVEL=debug
export FABER_LOGGING_FORMAT=json

Command-Line Arguments

The CLI provides various options for configuration:

# Basic server options
faber serve --host 0.0.0.0 --port 9000

# Configuration file
faber serve --config /path/to/config.yaml

# Debug mode
faber serve --debug --log-level debug

# Open mode (no authentication)
faber serve --open-mode

# Custom API key
faber serve --api-key your-custom-key

Configuration Validation

Validate your configuration before starting the server:

# Validate default configuration
faber validate

# Validate specific configuration file
faber validate /path/to/config.yaml

# Show current configuration
faber config

# Show default configuration
faber config --default

Security Configuration

Security Levels

Faber supports three security levels:

low: Minimal restrictions, suitable for trusted environments
medium: Balanced security and functionality (default)
high: Maximum security restrictions

Seccomp Configuration

Seccomp (Secure Computing Mode) provides system call filtering:

security:
  seccomp:
    enabled: true
    level: 'medium' # low, medium, high

Namespace Configuration

Control which Linux namespaces are used for isolation:

sandbox:
  namespaces:
    pid: true # Process isolation
    mount: true # Filesystem isolation
    network: true # Network isolation
    ipc: true # IPC isolation
    uts: true # Hostname isolation
    user: true # User ID isolation
    time: true # Time isolation
    cgroup: true # Resource control

Resource Limits

Configure default resource limits for task execution:

resource_limits:
  default:
    memory_limit: 536870912 # 512MB in bytes
    cpu_time_limit: 30000000000 # 30 seconds in nanoseconds
    wall_time_limit: 60000000000 # 60 seconds in nanoseconds
    max_processes: 10 # Maximum number of processes
    max_file_descriptors: 100 # Maximum file descriptors
    max_output_size: 1048576 # 1MB output limit

Per-Task Limits

You can also specify limits per task via the API:

{
  "tasks": [
    {
      "command": "python",
      "args": ["script.py"],
      "resource_limits": {
        "memory_limit": 1073741824, // 1GB
        "cpu_time_limit": 60000000000, // 60 seconds
        "max_processes": 5
      }
    }
  ]
}

Logging Configuration

Configure logging behavior:

logging:
  level: 'info' # debug, info, warn, error
  format: 'json' # json, text
  file: '/var/log/faber.log' # null for stdout
  debug: false

Filesystem Configuration

Control filesystem access and restrictions:

sandbox:
  filesystem:
    read_only: true
    tmpfs_size: 104857600 # 100MB tmpfs
    allowed_paths: ['/tmp', '/var/tmp']
    blocked_paths: ['/proc', '/sys', '/dev', '/boot']

Best Practices

Use strong API keys: Generate cryptographically secure API keys
Enable seccomp: Always enable seccomp filtering for production
Set appropriate limits: Configure resource limits based on your use case
Use HTTPS: In production, use a reverse proxy with HTTPS
Monitor logs: Enable structured logging for better observability
Regular updates: Keep Faber updated for security patches

Configuration Examples

Development Configuration

server:
  host: '127.0.0.1'
  port: 8080
  enable_swagger: true

auth:
  open_mode: true

logging:
  level: 'debug'
  format: 'text'

resource_limits:
  default:
    memory_limit: 1073741824 # 1GB
    cpu_time_limit: 60000000000 # 60 seconds

Production Configuration

server:
  host: '0.0.0.0'
  port: 8080
  enable_swagger: false

auth:
  api_key: 'your-production-api-key'
  open_mode: false

security:
  default_security_level: 'high'
  seccomp:
    enabled: true
    level: 'high'

logging:
  level: 'info'
  format: 'json'
  file: '/var/log/faber.log'

resource_limits:
  default:
    memory_limit: 268435456 # 256MB
    cpu_time_limit: 30000000000 # 30 seconds
    max_processes: 5