<div dir="ltr">Hi,<br><br>Is there an example for a config file needed to create a sandbox?<br>I'm using ubuntu 12.04 (can use any other version if required).<br>I need to execute untrusted code inside a sandbox with lxc-execute.<br>
<br>libvirt-sandbox seems to be what I need but it's not available in ubuntu and doesn't support limiting ram and cpu.<br><a href="https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/">https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/</a><br>
<br>Is there an equivalent in lxc tools?<br>Is there a plan for something like a lxc-sandbox command?<br><br>Basically I want to disable everything and allow only the minimum to compile and execute simple scripts.<br><br>
I've started with the following config file but I don't know what else need to be prevented or changed to protect the host.<br>Does anyone have a config file he can share?<br><br>Thanks<br><br>lxc.network.type = empty<br>
lxc.cgroup.cpu.shares = 1234<br>lxc.cgroup.memory.limit_in_bytes = 10M<br>lxc.cgroup.memory.memsw.limit_in_bytes = 20M<br>lxc.cgroup.devices.deny = a<br>lxc.cap.drop = audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config<br>
#lxc.cap.drop = sys_admin syslog<br></div>