[lxc-users] using lxc to run untrusted code

[Alex Flint]

I'm writing a web application that runs untrusted user code (python scripts
uploaded as strings through a web form) and I'm trying to understand
whether LXC is the right tool for the job:

- I need to prevent user code from tampering with the server on which it's
running. Mostly I want to isolate the user code within some filesystem, and
restrict access to network ports and a few other system resources.

- Latency is very important to me. I want to receive some user code, do
whatever setup is required, run the code, and do whatever teardown is
required all within ~100ms.

- I do _not_ need to support different operating system. In fact ideally I
would like to have the python interpreter and the whole python environment
live on the host OS, not within the container. I would (ideally) launch the
python interpreter in the host OS and then isolate it within an LXC
container before running the user code. Or something like this.

I understand that what I'm trying to do is not exactly a typical
containerization scenario. Is LXC a good fit for me? Can you suggest how I
could use LXC to achieve the above?

Thanks!
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150523/3abe2cf9/attachment.html>