Question
I want to execute untrusted user submitted code in a sandbox. The code shouldn't use much CPU and Ram unless there is a bug or a user tries to compromise the server.
Can I use lxc for creating a temporary sandbox? What is the overhead of creating and stopping a container? How can I get the output of the script? Is there example for a config which blocks everything in the container to make it 100% safe and than open only what I need? Will the container be able to use programs like Java and Python installed on the host but still won't be able to compromise the host?
Thanks
Solution
I think you should try docker.io. With this making LXC is extremely easy. Setting up LXC is a one time process, and then you can run it in < 5 sec anytime.
And there is no way a bug or user from inside LXC here can compromise the host. Client LXC has total separation of resources at base level using cgroups and namespaces, not only with the host but other LXCs running on the same host as well.
https://stackoverflow.com/questions/14329131
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian