curl -X POST -d 'print("hello untrusted world")' "http://51.15.86.10:8000"
### POST request to demo server
#
#
# set output.resp to be an object you want back in output: response
# print(...) statements will be added to log:[...] response
POST http://51.15.86.10:8000
Content-Type: text/plain
import time
import os
import tempfile
print('rob')
print(os.getuid())
output.resp = { "level": 42 }
#
# {
# "output": {
# "logs": [
# "rob",
# 999
# ],
# "resp": {
# "level": 42
# }
# },
# "stderr": [
# ""
# ]
# }
#
Taken from https://gvisor.dev/docs/user_guide/quick_start/oci/
runner.py
The main program that reads code from STDIN compiles and executes itconfig.json
The OCI runtime specDockerfile
Builds a tiny python docker imagescript.py
Any untrusted user code we want to run on the system
sudo docker build -t python-tiny:latest .
mkdir bundle
cd bundle
mkdir --mode=0755 rootfs
sudo docker export $(sudo docker create python-tiny:latest) | sudo tar -xf - -C rootfs --same-owner --same-permissions
cp runner.py rootfs
cat script.py | sudo runsc -debug run mycontainer
sudo runsc list
sudo runsc delete <contid>
- RLIMIT_CPU doesn't seem to work
- sockets sometimes get left in
/var/run/runsc/
preventing containers with the same ID starting