[libvirt-users] limit memory and CPU when using libvirt-sandbox
I'm considering using virt-sandbox with lxc to sandbox and execute untrusted code like python scripts and compiled C code. Is it possible to limit CPU and Memory like is possible with lxc-execute and a config file? What are the defaults security settings? Is it completely isolated by default? What's the difference between lxc-execute and libvirt-sandbox? How can I use it in ubuntu? Thanks
On Mon, Jan 28, 2013 at 04:38:13PM +0200, pablo platt wrote:
I'm considering using virt-sandbox with lxc to sandbox and execute untrusted code like python scripts and compiled C code. Is it possible to limit CPU and Memory like is possible with lxc-execute and a config file?
At this time, we've not wired up resource limits via the libvirt sandbox package. Currently the focus has been on securing the containers to prevent them doing bad things to the host. Resource constraints as a todo item.
What's the difference between lxc-execute and libvirt-sandbox?
LXC execute is a standalone tool from the LXC sf.net project which has nothing todo with libvirt. libvirt-sandbox is a sandbox technology built ontop of libvirt, which is able to create sandboxes across various virtualization technologies, currently LXC, KVM and QEMU. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Is it 100% secure by default without access to host network and file system? Can I run it with a normal user with root privileges? I'm trying to follow the man page but there are some things which are not clear. What levels are available for level=LEVEL in SECURITY-OPTIONS? When it says that the contents of host and guest folders are indistinguishable, does it means that I can edit host files from the guest when setting -B? http://rpm.pbone.net/index.php3/stat/45/idpl/19820275/numer/1/nazwa/virt-san... On Mon, Jan 28, 2013 at 4:44 PM, Daniel P. Berrange <berrange@redhat.com>wrote:
On Mon, Jan 28, 2013 at 04:38:13PM +0200, pablo platt wrote:
I'm considering using virt-sandbox with lxc to sandbox and execute untrusted code like python scripts and compiled C code. Is it possible to limit CPU and Memory like is possible with lxc-execute and a config file?
At this time, we've not wired up resource limits via the libvirt sandbox package. Currently the focus has been on securing the containers to prevent them doing bad things to the host. Resource constraints as a todo item.
What's the difference between lxc-execute and libvirt-sandbox?
LXC execute is a standalone tool from the LXC sf.net project which has nothing todo with libvirt. libvirt-sandbox is a sandbox technology built ontop of libvirt, which is able to create sandboxes across various virtualization technologies, currently LXC, KVM and QEMU.
Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/:| |: http://libvirt.org -o- http://virt-manager.org:| |: http://autobuild.org -o- http://search.cpan.org/~danberr/:| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc:|
participants (2)
-
Daniel P. Berrange -
pablo platt