Re: limit memory and CPU when using libvirt-sandbox

[pablo platt <pablo.platt@xxxxxxxxx>]

Is it 100% secure by default without access to host network and file system?
Can I run it with a normal user with root privileges?

I'm trying to follow the man page but there are some things which are not clear.
What levels are available for level=LEVEL in SECURITY-OPTIONS?
When it says that the contents of host and guest folders are indistinguishable, does it means that I can edit host files from the guest when setting -B?
http://rpm.pbone.net/index.php3/stat/45/idpl/19820275/numer/1/nazwa/virt-sandbox

On Mon, Jan 28, 2013 at 4:44 PM, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote:

On Mon, Jan 28, 2013 at 04:38:13PM +0200, pablo platt wrote:
> I'm considering using virt-sandbox with lxc to sandbox and execute
> untrusted code like python scripts and compiled C code.
> Is it possible to limit CPU and Memory like is possible with lxc-execute
> and a config file?

At this time, we've not wired up resource limits via the libvirt sandbox
package. Currently the focus has been on securing the containers to prevent
them doing bad things to the host. Resource constraints as a todo item.

> What's the difference between lxc-execute and libvirt-sandbox?

LXC execute is a standalone tool from the LXC sf.net project which
has nothing todo with libvirt. libvirt-sandbox is a sandbox technology
built ontop of libvirt, which is able to create sandboxes across various
virtualization technologies, currently LXC, KVM and QEMU.

Daniel
--
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users