我正在寻求有关此事的帮助,如果我想对在网站中键入的命令的执行进行沙箱处理,我有哪些选择?我想为编程语言创建一个在线解释器。
我一直在研究 docker,我该如何使用它?这是最好的选择吗?
最佳答案
codecube.io做这个。它是开源的:https://github.com/hmarr/codecube
作者写下了他的rationale and process 。该系统的工作原理如下:
- A user types some code in to a box on the website, and specifies the language the code is written in
- They click “Run”, the code is POSTed to the server
- The server writes the code to a temporary directory, and boots a docker container with the temporary directory mounted
- The container runs the code in the mounted directory (how it does this varies according to the code’s language)
- The server tails the logs of the running container, and pushes them down to the browser via server-sent events
- The code finishes running (or is killed if it runs for too long), and the server destroys the container
Docker 容器的入口点是 entrypoint.sh ,它在容器内运行:
prog=$1
<...create user and set permissions...>
sudo -u codecube /bin/bash /run-code.sh $prog
然后run-code.sh检查扩展并运行相关的编译器或解释器:
extension="${prog##*.}"
case "$extension" in
"c")
gcc $prog && ./a.out
;;
"go")
go run $prog
;;
<...cut...>
The server that accepts the code examples from the web, and orchestrates the Docker containers was written in Go. Go turned out to be a pretty good choice for this, as much of the server relied on concurrency (tailing logs to the browser, waiting for containers to die so cleanup could happen), which Go makes joyfully simple.
作者还详细介绍了他是如何实现资源限制、隔离以及安全思想的。
关于docker - 通过 Ajax 使用 docker 执行沙箱命令,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28086406/