Sandboxed Compiles: support configurable texlive image root via env var

services/clsi/README.md

@@ -29,7 +29,7 @@ The CLSI can be configured through the following environment variables:
 - `PROCESS_LIFE_SPAN_LIMIT_MS` - Process life span limit in milliseconds
 - `SMOKE_TEST` - Whether to run smoke tests
 - `TEXLIVE_IMAGE` - The TeX Live Docker image to use for sibling containers, e.g. `us-east1-docker.pkg.dev/overleaf-ops/ol-docker/texlive-full:2025.1`
-- `TEX_LIVE_IMAGE_NAME_OVERRIDE` - The name of the registry for the Docker image e.g. `us-east1-docker.pkg.dev/overleaf-ops/ol-docker`
+- `TEX_LIVE_DOCKER_IMAGE_ROOT` - The name of the registry for the Docker image e.g. `us-east1-docker.pkg.dev/overleaf-ops/ol-docker`
 - `TEXLIVE_IMAGE_USER` - When using sibling containers, the user to run as in the TeX Live image. Defaults to `tex`
 - `TEXLIVE_OPENOUT_ANY` - Sets the `openout_any` environment variable for TeX Live (see the `\openout` primitive [documentation](http://tug.org/texinfohtml/web2c.html#tex-invocation))
 

services/clsi/app/js/CompileController.js

@@ -138,7 +138,7 @@ function compile(req, res, next) {
                   compiler: request.compiler,
                   draft: request.draft,
                   imageName: request.imageName
-                    ? request.imageName
+                    ? Path.basename(request.imageName)
                     : undefined,
                   rootResourcePath: request.rootResourcePath,
                   stopOnFirstError: request.stopOnFirstError,

services/clsi/app/js/DockerRunner.js

@@ -41,8 +41,8 @@ const DockerRunner = {
     }
 
     if (Settings.texliveImageNameOveride != null) {
-      const img = image.split('/')
-      image = `${Settings.texliveImageNameOveride}/${img[2]}`
+      const img = Path.basename(image)
+      image = `${Settings.texliveImageNameOveride}/${img}`
     }
 
     if (compileGroup === 'synctex-output') {
@@ -238,6 +238,7 @@ const DockerRunner = {
     const match = image.match(/:([0-9]+)\.[0-9]+|:TL([0-9]+)/)
     // the rolling build does not follow our <year>.<version>.<patch> convention
     const year = match ? match[1] || match[2] : 'rolling'
+
     env.PATH = `/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/texlive/${year}/bin/x86_64-linux/`
     const options = {
       Cmd: command,

services/clsi/buildscript.txt

@@ -1,7 +1,7 @@
 clsi
 --data-dirs=cache,compiles,output
 --dependencies=
---env-add=DOWNLOAD_HOST=http://clsi-nginx:8080,ALLOWED_COMPILE_GROUPS=clsi-perf simple-latex-file,ENABLE_PDF_CACHING=true,PDF_CACHING_ENABLE_WORKER_POOL=true,ALLOWED_IMAGES=quay.io/sharelatex/texlive-full:2017.1 quay.io/sharelatex/texlive-full:2025.1 quay.io/sharelatex/pandoc:3.9,TEXLIVE_IMAGE=quay.io/sharelatex/texlive-full:2025.1,TEX_LIVE_IMAGE_NAME_OVERRIDE=us-east1-docker.pkg.dev/overleaf-ops/ol-docker,TEXLIVE_IMAGE_USER=tex,SANDBOXED_COMPILES=true,SANDBOXED_COMPILES_HOST_DIR_COMPILES=$PWD/compiles,SANDBOXED_COMPILES_HOST_DIR_OUTPUT=$PWD/output,ENABLE_PANDOC_CONVERSIONS=true
+--env-add=DOWNLOAD_HOST=http://clsi-nginx:8080,ALLOWED_COMPILE_GROUPS=clsi-perf simple-latex-file,ENABLE_PDF_CACHING=true,PDF_CACHING_ENABLE_WORKER_POOL=true,ALLOWED_IMAGES=quay.io/sharelatex/texlive-full:2017.1 quay.io/sharelatex/texlive-full:2025.1 quay.io/sharelatex/pandoc:3.9,TEXLIVE_IMAGE=quay.io/sharelatex/texlive-full:2025.1,TEX_LIVE_DOCKER_IMAGE_ROOT=us-east1-docker.pkg.dev/overleaf-ops/ol-docker,TEXLIVE_IMAGE_USER=tex,SANDBOXED_COMPILES=true,SANDBOXED_COMPILES_HOST_DIR_COMPILES=$PWD/compiles,SANDBOXED_COMPILES_HOST_DIR_OUTPUT=$PWD/output,ENABLE_PANDOC_CONVERSIONS=true
 --env-pass-through=
 --esmock-loader=False
 --node-version=24.14.1

services/clsi/config/settings.defaults.cjs

@@ -86,7 +86,7 @@ module.exports = {
   parallelFileDownloads:
     parseInt(process.env.FILESTORE_PARALLEL_FILE_DOWNLOADS, 10) || 1,
   filestoreDomainOveride: process.env.FILESTORE_DOMAIN_OVERRIDE,
-  texliveImageNameOveride: process.env.TEX_LIVE_IMAGE_NAME_OVERRIDE,
+  texliveImageNameOveride: process.env.TEX_LIVE_DOCKER_IMAGE_ROOT,
   texliveOpenoutAny: process.env.TEXLIVE_OPENOUT_ANY,
   texliveMaxPrintLine: process.env.TEXLIVE_MAX_PRINT_LINE,
   enablePdfCaching: process.env.ENABLE_PDF_CACHING === 'true',

services/clsi/docker-compose.ci.yml

@@ -32,7 +32,7 @@ services:
       PDF_CACHING_ENABLE_WORKER_POOL: true
       ALLOWED_IMAGES: quay.io/sharelatex/texlive-full:2017.1 quay.io/sharelatex/texlive-full:2025.1 quay.io/sharelatex/pandoc:3.9
       TEXLIVE_IMAGE: quay.io/sharelatex/texlive-full:2025.1
-      TEX_LIVE_IMAGE_NAME_OVERRIDE: us-east1-docker.pkg.dev/overleaf-ops/ol-docker
+      TEX_LIVE_DOCKER_IMAGE_ROOT: us-east1-docker.pkg.dev/overleaf-ops/ol-docker
       TEXLIVE_IMAGE_USER: tex
       SANDBOXED_COMPILES: true
       SANDBOXED_COMPILES_HOST_DIR_COMPILES: $PWD/compiles

services/clsi/docker-compose.yml

@@ -55,7 +55,7 @@ services:
       PDF_CACHING_ENABLE_WORKER_POOL: true
       ALLOWED_IMAGES: quay.io/sharelatex/texlive-full:2017.1 quay.io/sharelatex/texlive-full:2025.1 quay.io/sharelatex/pandoc:3.9
       TEXLIVE_IMAGE: quay.io/sharelatex/texlive-full:2025.1
-      TEX_LIVE_IMAGE_NAME_OVERRIDE: us-east1-docker.pkg.dev/overleaf-ops/ol-docker
+      TEX_LIVE_DOCKER_IMAGE_ROOT: us-east1-docker.pkg.dev/overleaf-ops/ol-docker
       TEXLIVE_IMAGE_USER: tex
       SANDBOXED_COMPILES: true
       SANDBOXED_COMPILES_HOST_DIR_COMPILES: $PWD/compiles

services/web/app/src/Features/Project/ProjectOptionsHandler.mjs

@@ -46,7 +46,7 @@ const ProjectOptionsHandler = {
     if (!isAllowed) {
       throw new OError('invalid imageName', { imageName })
     }
-    return settings.imageRoot + '/' + imageName
+    return imageName
   },
 
   async setImageName(projectId, imageName) {

services/web/modules/sandboxed-compiles/index.mjs

@@ -20,3 +20,6 @@ if (process.env.SANDBOXED_COMPILES === 'true') {
   }
   Settings.currentImageName = process.env.TEX_LIVE_DOCKER_IMAGE
 }
+
+const SandboxedCompilesModule = {}
+export default SandboxedCompilesModule