[Lxc-users] sandbox config file

pablo platt pablo.platt at gmail.com
Mon Jan 28 20:55:46 UTC 2013


Hi,

Is there an example for a config file needed to create a sandbox?
I'm using ubuntu 12.04 (can use any other version if required).
I need to execute untrusted code inside a sandbox with lxc-execute.

libvirt-sandbox seems to be what I need but it's not available in ubuntu
and doesn't support limiting ram and cpu.
https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/

Is there an equivalent in lxc tools?
Is there a plan for something like a lxc-sandbox command?

Basically I want to disable everything and allow only the minimum to
compile and execute simple scripts.

I've started with the following config file but I don't know what else need
to be prevented or changed to protect the host.
Does anyone have a config file he can share?

Thanks

lxc.network.type = empty
lxc.cgroup.cpu.shares = 1234
lxc.cgroup.memory.limit_in_bytes = 10M
lxc.cgroup.memory.memsw.limit_in_bytes = 20M
lxc.cgroup.devices.deny = a
lxc.cap.drop = audit_control audit_write chown  dac_override
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
mac_admin mac_override mknod net_admin net_bind_service net_broadcast
net_raw setgid setfcap setpcap setuid  sys_boot sys_chroot sys_module
sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config
#lxc.cap.drop = sys_admin syslog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130128/bf4085be/attachment.html>


More information about the lxc-users mailing list