[Lxc-users] Execute untrusted code in a container
Serge Hallyn
serge.hallyn at canonical.com
Wed Jan 16 14:59:28 UTC 2013
Quoting Ciprian Dorin Craciun (ciprian.craciun at gmail.com):
> On Tue, Jan 15, 2013 at 11:46 PM, pablo platt <pablo.platt at gmail.com> wrote:
> > I want to execute user submitted code in Java, Python and other languages in
> > a container.
> > Something similar to http://ideone.com but much simpler.
> > The code users submit should be simple, without accessing the network or
> > files unless the user tries to compromise the server.
>
> Small comment orthogonal in regard to LXC: if you need to enforce
> security, you should also try to "integrate" the "seccomp" facility of
> Linux in combination with LXC. (Another viable security oriented
> solution might be AppArmor. Of course you need to combine it with LXC
> to obtain the environment isolation.)
Both seccomp and apparmor are built into lxc, so do configure them.
We're also at the point where you could conceivably run in a user
namespace, meaning the container would have no privilege relative to
the host (but full privs in the container).
The overhead for using lxc-execute should be just about 0. However
I think you would be better off building a full base container, then
using lvm-snapshotted lxc-clones for each user run, to further isolate
the containers.
(I don't use lxc-execute much, so will let someone who does address
questions about it)
More information about the lxc-users
mailing list