sysbox VS piston

You are probably referring to Sysbox (https://github.com/nestybox/sysbox), which I believe will meet your requirements (systemd, inner containers, security, etc).

Btw, Sysbox is already supported in Docker-Desktop (business tier only), so you can easily do what you want with this instruction:

$ docker run -it --rm -e SYSBOX_SYSCONT_MODE=TRUE nestybox/ubuntu-focal-systemd-docker:latest bash

Disclaimer: I'm Sysbox's co-creator and currently working for Docker.

One project in this space that looked quite promising to me is sysbox[0]. I've used them once for a gitlab runner set-up similar to what is described in their blog[1].

It's currently working great and I have not had any major crashes/incidents for at least the past 8 months.

[0]: https://github.com/nestybox/sysbox

[1]: https://blog.nestybox.com/2020/10/21/gitlab-dind.html

Today, things are very different. Docker-in-Docker has a more secure and safe approach with rootless containers and freemium tools like sysbox. Tools like sysbox let you run Docker-in-Docker without the -privileged flag and optimizes specific scenarios, like running multiple nodes of a Kubernetes cluster as ordinary containers.

Right now I am going with sysbox rootless containers. https://github.com/nestybox/sysbox

We’ve been using Sysbox (https://github.com/nestybox/sysbox) for our Buildkite based CI/CD setup, allows docker-in-docker without privileged containers. Paired with careful IAM/STS design we’ve ended up with isolated job containers with their own IAM roles limited to least-privilege.

A good alternative to the VM approach is to use Kubernetes + Sysbox (a next-gen "runc", free, open-source).

But nowadays there is an option to run such software in containers securely. It's called Sysbox, and it's a new "runc" (the piece of software that creates the containers). I am one of the developers, so I am biased, but I think you'll find it helpful.

and public reviews (as well as reviews on similar approaches [1]), the approach does not seem to satisfy my requirements. After some additional searching, I found a possible dockerized solution:

https://github.com/engineer-man/piston

I want to ask the HN community if anybody has experience in this problem space and what solutions they would suggest. Is the Piston's dockerized approach secure enough to be used in production systems?

I would really appreciate any insights anyone could provide.

Anything in the milliseconds is pretty large for fast languages, so I think it could be something to do with the way that they sandbox submissions. Ultimately I dunno, but it is interesting to speculate how they do it, maybe some cheesed Linux containers like piston / https://github.com/engineer-man/piston or something. Heavily altered runtime could swing a few ms here or there, so that's the logic for not relying on Leetcode for accurate assumptions, I guess

If you're deadset on the absurd madness you can attempt to use a community "punching bag" container, like https://github.com/engineer-man/piston, something like that or a honeypot that's tuned to resist abuses of the infra. But that way lies pain, lots of pain and dogecoin miners, rats, and trojans. Regular precautions won't be enough, and even a locked-down container/VM is likely only a matter of time. Decent hackers' bots are gonna run down a giant list of stuff from metasploit and there's probably something in open-enough userland that can be abused for escape.

I don't know if there is any resource availible to read specifically for this problem. But here is what I found on a quick google search: https://github.com/engineer-man/piston

I found some open-source projects like piston and Judge0. But there are some limitations like the number of requests per second, etc.

You should consider using something like piston. This way they can run code in a sandboxed way and you don’t have to worry. You can host it yourself and let them use that which probably yields the best results but there is also a free hosted version you can use. You could even make a simple website wrapper for the students to use to run their code.

The code runner is https://github.com/engineer-man/piston

Biggest one: https://github.com/engineer-man/piston Made with Go lang: https://github.com/ranna-go/ranna Something here: https://github.com/jakhax/sandman

why not use a secure code execution engine like python-discord/snekbox or engineer-man/piston though?