Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/crazystylus/containersandbox
A sanbox deployable inside a container written in GoLang
https://github.com/crazystylus/containersandbox
Last synced: 15 days ago
JSON representation
A sanbox deployable inside a container written in GoLang
- Host: GitHub
- URL: https://github.com/crazystylus/containersandbox
- Owner: crazystylus
- License: mit
- Created: 2019-10-24T20:00:09.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2019-10-24T20:12:39.000Z (about 5 years ago)
- Last Synced: 2024-04-29T00:13:05.971Z (6 months ago)
- Language: Go
- Size: 5.86 KB
- Stars: 4
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Sandbox
## Description
This demonstarates deployment of a stable sandbox inside a running container for running untrusted codes and applications
If is meant to be used as a code judge base sandbox to be run inside a kubernetes pod or in a docker container
## Breakdown
1. Namespaces :- It uses the following namespace -> UTS Namespace, Mount Namespace, IPC Namespace, PID Namespace and a Network Namespace
2. CGroups :- It uses cpu, memory and pids cgroups to cut down fork bombs and memory and cpu eating malicious codes
3. UnPriviledged user :- An unpriviledged user is used for compilation and execution of the programs
4. *EXTRA* chroot :- Chroot support is there in case required, but it then needs a rootfs to switch to
## Usage
Primarily it was tested on Podman v1.5.1
Copy Files to the git repo to a folder or pull in the container
> podman run -it --name gochk --cap-add=SYS_ADMIN -v /sandbox:/sandbox golang:alpine
> apk add openrc gcc libc-dev bash
> mkdir proc
> adduser sandbox # (uid and gid should be 1000 for this user)
> go build -o sandbox
> ./sandbox run 60 /bin/sh
## Benchmark
### Adds 8ms latency per execution