[lxc-users] using lxc to run untrusted code

Kevin LaTona lists at studiosola.com
Sat May 23 01:33:41 UTC 2015 

Alex

 Also look at this for ideas  http://pythontutor.com the code is up on github as I recall.

So while this is meant to debug and teach folks how to write Python.

There might be some good ideas in the code base to help you along faster since it's running Python code in a web browser.

-Kevin



On May 22, 2015, at 6:23 PM, Kevin LaTona <lists at studiosola.com> wrote:

> 
> Alex,
> 
> 
> I would say yes, depending on you final needs it is possible to do what you are asking for.
> 
> Back at PyCon 2013 during a Lighting talk when Docker was first shown publicly what you are asking for kind was one the selling points back then for Docker.
> 
> Also back in those early days Docker was based on LXC's.
> 
> https://www.youtube.com/watch?v=wW9CAH9nSLs
> 
> 
> You also should spend some time here as it's a good starting point to get a good background on LXC and LXD.
> https://linuxcontainers.org/lxc/getting-started/
> 
> 
> AWS is in my back yard and some months back at local meeting a AWS PM was showing off their AWS Lambda service. When I saw it was only running NodeJS code. We were told that it was possible to spin up Python from Node in one of these AWS Lambda's.
> 
> The PM for it stated that AWS was going to be offering other languages like Python, Ruby, Scala, etc etc. But were starting out with NodeJS given  their existing client base it made the most the sense to start there to work out the issues.
> 
> But it does kind of do what you are asking for as service and not having to managing anything on the back side. I recall it also tied into S3 in some manner or other.
> 
> I have to think there are other options out there as well. Heck AWS seems to be adding something new every few weeks.
> 
> Google has offerings and I am sure others do as well along these micro-service like ideas.
> 
> I recall hearing about a service called something like Python anywhere or everywhere. So you may want to Google around to see if that is close to want you are after.
> 
> Maybe some one else might chime in here to add in some other thoughts and ideas for you.
> 
> Bottom line is yes LXC can do it and give you ways to control things. Given you want to run Python code in the wild…. no matter how you deal it with it's going to have issues to look after.
> 
> -Kevin
> 
> 
> 
> On May 22, 2015, at 5:38 PM, Alex Flint <alex.flint at gmail.com> wrote:
> 
>> I'm writing a web application that runs untrusted user code (python scripts uploaded as strings through a web form) and I'm trying to understand whether LXC is the right tool for the job:
>> 
>> - I need to prevent user code from tampering with the server on which it's running. Mostly I want to isolate the user code within some filesystem, and restrict access to network ports and a few other system resources.
>> 
>> - Latency is very important to me. I want to receive some user code, do whatever setup is required, run the code, and do whatever teardown is required all within ~100ms.
>> 
>> - I do _not_ need to support different operating system. In fact ideally I would like to have the python interpreter and the whole python environment live on the host OS, not within the container. I would (ideally) launch the python interpreter in the host OS and then isolate it within an LXC container before running the user code. Or something like this.
>> 
>> I understand that what I'm trying to do is not exactly a typical containerization scenario. Is LXC a good fit for me? Can you suggest how I could use LXC to achieve the above?
>> 
>> Thanks!
>> Alex
>> 
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list