[Lxc-users] sandbox config file
pablo platt
pablo.platt at gmail.com
Mon Jan 28 20:55:46 UTC 2013
Hi,
Is there an example for a config file needed to create a sandbox?
I'm using ubuntu 12.04 (can use any other version if required).
I need to execute untrusted code inside a sandbox with lxc-execute.
libvirt-sandbox seems to be what I need but it's not available in ubuntu
and doesn't support limiting ram and cpu.
https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/
Is there an equivalent in lxc tools?
Is there a plan for something like a lxc-sandbox command?
Basically I want to disable everything and allow only the minimum to
compile and execute simple scripts.
I've started with the following config file but I don't know what else need
to be prevented or changed to protect the host.
Does anyone have a config file he can share?
Thanks
lxc.network.type = empty
lxc.cgroup.cpu.shares = 1234
lxc.cgroup.memory.limit_in_bytes = 10M
lxc.cgroup.memory.memsw.limit_in_bytes = 20M
lxc.cgroup.devices.deny = a
lxc.cap.drop = audit_control audit_write chown dac_override
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
mac_admin mac_override mknod net_admin net_bind_service net_broadcast
net_raw setgid setfcap setpcap setuid sys_boot sys_chroot sys_module
sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config
#lxc.cap.drop = sys_admin syslog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130128/bf4085be/attachment.html>
More information about the lxc-users
mailing list