Quoting Ciprian Dorin Craciun (ciprian.crac...@gmail.com): > On Tue, Jan 15, 2013 at 11:46 PM, pablo platt <pablo.pl...@gmail.com> wrote: > > I want to execute user submitted code in Java, Python and other languages in > > a container. > > Something similar to http://ideone.com but much simpler. > > The code users submit should be simple, without accessing the network or > > files unless the user tries to compromise the server. > > Small comment orthogonal in regard to LXC: if you need to enforce > security, you should also try to "integrate" the "seccomp" facility of > Linux in combination with LXC. (Another viable security oriented > solution might be AppArmor. Of course you need to combine it with LXC > to obtain the environment isolation.)
Both seccomp and apparmor are built into lxc, so do configure them. We're also at the point where you could conceivably run in a user namespace, meaning the container would have no privilege relative to the host (but full privs in the container). The overhead for using lxc-execute should be just about 0. However I think you would be better off building a full base container, then using lvm-snapshotted lxc-clones for each user run, to further isolate the containers. (I don't use lxc-execute much, so will let someone who does address questions about it) ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
