Miner Guide
Security & Safety — Miners
Understanding how jobs are sandboxed and what developers can/can’t do keeps your system safe.
The Sandbox
Every job runs in an isolated sandbox. Jobs can’t:
- Access your filesystem (except a temporary work directory)
- Access your network or other machines
- Access other jobs’ data
- Use more resources than advertised
- Break out of the sandbox
Think of it like a secure container. Developers submit code, it runs in isolation, results are returned.
What Jobs Can Do
Allowed Operations
- CPU computation — Math, algorithms, data processing
- Memory allocation — Use the advertised RAM
- Temporary files — Write to
/tmpor work directory (cleaned up after) - Read stdin — Accept input from developers
- Write stdout — Return results to developers
- Standard libraries — Use pre-installed packages (Python, Node.js, Go, etc.)
Example allowed job:
Write Python code that takes a CSV file content as input and returns a JSON summary (row count, column names, data types).
This is safe because it’s a pure computation with no system access.
Not Allowed Operations
- Filesystem access — Can’t read
/etc,/home, your files - Network access — Can’t connect to external APIs or services
- Process spawning — Can’t start other applications
- System calls — Can’t modify system settings
- Device access — Can’t access GPU, USB, etc. (GPU is exposed separately)
- Installing packages — Can’t run
pip installornpm install
Jobs that try forbidden operations will fail with a sandbox violation.
Resource Limits
Jobs are constrained by your advertised resources:
CPU: Can’t use more cores than you advertised Memory: Process is killed if it exceeds limit Disk: Can’t write more than the quota Timeout: Killed if execution exceeds timeout
Example:
- You advertise 4 cores, 8GB RAM
- Job tries to allocate 16GB RAM
- Killed immediately, you’re not charged for the failure
Isolation Models
Native Sandbox (Default)
Jobs run in native Linux containers with:
- Isolated filesystem
- Resource cgroups (CPU, memory limits)
- No network access
- No privileged syscalls
Pros: Fast, efficient Cons: Depends on OS
Docker Sandbox
Jobs run in Docker containers with:
- Full container isolation
- Network disabled
- Resource limits enforced
- Better security guarantees
Pros: Most secure, portable Cons: Slower than native
Enable Docker:
swarmient-daemon start --sandbox docker
Your System Safety
Filesystem Protection
Jobs can’t access:
/root (your home directory)
/home (other users' home directories)
/etc (system configuration)
/var (system logs, data)
/sys, /proc (kernel interfaces)
Jobs get a temporary work directory:
/work/job_abc123/
This directory is deleted after the job completes.
Network Protection
Jobs can’t:
- Connect to external IPs
- Access localhost (127.0.0.1)
- Bind to ports
- Send DNS queries
Your miner can access the network—jobs can’t. This prevents data exfiltration.
Process Isolation
Each job runs as a separate process with:
- Its own user ID (not your account)
- No access to other processes
- No ability to spawn privileged processes
- Automatic cleanup on termination
Memory Protection
Job memory is protected:
- Allocated from a separate memory region
- Can’t access other processes’ memory
- Released when job terminates
- Out-of-memory jobs are killed cleanly
Cryptographic Verification
Every job result is cryptographically signed:
- Developer submits job
- Your miner executes it
- You sign the result with your private key
- Developer verifies the signature
Why this matters: Developers can verify that you actually executed the job. This prevents:
- False claims of execution
- Result tampering
- Impersonation
Your private key is sacred:
chmod 600 ~/.swarmient/miner.json
Never share it. If compromised:
swarmient-daemon keygen --output ~/.swarmient/miner.json
swarmient-daemon update-key # Register new public key
Best Practices
1. Keep Your Daemon Updated
New versions include security patches:
brew upgrade swarmient-daemon # macOS
sudo apt-get upgrade swarmient-daemon # Linux
Check for updates weekly.
2. Run as a Service
Run with minimal privileges:
sudo swarmient-daemon install-service \
--keyfile ~/.swarmient/miner.json
Don’t run as root. The service runs with appropriate privileges.
3. Secure Your Keys
Protect your miner keys:
chmod 600 ~/.swarmient/miner.json
chmod 700 ~/.swarmient/
Backup your keys:
cp ~/.swarmient/miner.json ~/backup/miner.json
chmod 600 ~/backup/miner.json
Never commit to version control:
# .gitignore
~/.swarmient/miner.json
4. Monitor Resource Usage
Watch for runaway processes:
swarmient-daemon monitor
Shows CPU, memory, disk usage in real-time.
5. Use a Separate Disk for Jobs
Store job data on a separate partition to avoid filling your OS disk:
swarmient-daemon start --data-dir /mnt/data/swarmient
6. Enable Firewall
Restrict outbound traffic to Swarmient servers only:
- Outbound to
api.swarmient.com:443✓ - Outbound to other IPs ✗
7. Check System Integrity
Verify daemon hasn’t been tampered with:
swarmient-daemon verify-signature
Should report “OK”.
Sandbox Escape Prevention
Swarmient uses multiple layers to prevent sandbox escapes:
- Filesystem isolation — Jobs only see their work directory
- User isolation — Jobs run as unprivileged user
- Resource limits — Kernel-enforced caps
- Privilege dropping — No setuid access
- Seccomp filters — Block dangerous syscalls
Even if a job tries to:
cat /etc/passwd→ Permission deniedsudo install malware→ No sudo accessfork() bomb→ Killed by resource limitsconnect() to external IP→ Blocked by network isolation
The sandbox design assumes jobs are untrusted. Developers could submit malicious code. The sandbox ensures it can’t harm your system.
Reporting Security Issues
If you find a security vulnerability:
- Don’t post it publicly
- Email
security@swarmient.comwith details - We’ll investigate and patch quickly
- You’ll get credit in the security advisory
Responsible disclosure is appreciated.
FAQ
Q: Can jobs see my internet traffic?
A: No. Jobs are network-isolated. They can’t see your traffic or monitor your network.
Q: Can jobs steal my files?
A: No. They can’t access your home directory, system files, or any files outside their work directory.
Q: What if a job tries to break out?
A: It’ll fail. The sandbox is kernel-enforced. Developers can report the bug to Swarmient.
Q: Is my private key safe?
A: As safe as your system. Keep the file readable only by you (chmod 600). Don’t share it. Back it up.
Q: What if a malicious developer sends harmful code?
A: It’ll run in the sandbox with no access to your system. It might consume resources or time out, but it can’t harm you.
Q: Can jobs use GPU?
A: Yes (if you offer GPU). GPUs are passed through to the container with sandboxing still enforced.
Next Steps
- Optimization — Tips to earn more
- FAQ — More security questions