[Lxc-users] Execute untrusted code in a container

Serge Hallyn serge.hallyn at canonical.com
Wed Jan 16 14:59:28 UTC 2013


Quoting Ciprian Dorin Craciun (ciprian.craciun at gmail.com):
> On Tue, Jan 15, 2013 at 11:46 PM, pablo platt <pablo.platt at gmail.com> wrote:
> > I want to execute user submitted code in Java, Python and other languages in
> > a container.
> > Something similar to http://ideone.com but much simpler.
> > The code users submit should be simple, without accessing the network or
> > files unless the user tries to compromise the server.
> 
>     Small comment orthogonal in regard to LXC: if you need to enforce
> security, you should also try to "integrate" the "seccomp" facility of
> Linux in combination with LXC. (Another viable security oriented
> solution might be AppArmor. Of course you need to combine it with LXC
> to obtain the environment isolation.)

Both seccomp and apparmor are built into lxc, so do configure them.
We're also at the point where you could conceivably run in a user
namespace, meaning the container would have no privilege relative to
the host (but full privs in the container).

The overhead for using lxc-execute should be just about 0.  However
I think you would be better off building a full base container, then
using lvm-snapshotted lxc-clones for each user run, to further isolate
the containers.

(I don't use lxc-execute much, so will let someone who does address
questions about it)




More information about the lxc-users mailing list