sysbox
piston
Our great sponsors
sysbox | piston | |
---|---|---|
22 | 19 | |
2,503 | 1,742 | |
3.0% | 2.9% | |
8.5 | 6.1 | |
2 days ago | about 1 month ago | |
Shell | JavaScript | |
Apache License 2.0 | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sysbox
-
Podman Desktop: A Free OSS Alternative to Docker Desktop
You are probably referring to Sysbox (https://github.com/nestybox/sysbox), which I believe will meet your requirements (systemd, inner containers, security, etc).
Btw, Sysbox is already supported in Docker-Desktop (business tier only), so you can easily do what you want with this instruction:
$ docker run -it --rm -e SYSBOX_SYSCONT_MODE=TRUE nestybox/ubuntu-focal-systemd-docker:latest bash
Disclaimer: I'm Sysbox's co-creator and currently working for Docker.
- Sysbox: VM-Like Containers
- What companies are using golang and have source code in github?
-
SELinux is unmanageable; just turn it off if it gets in your way
One project in this space that looked quite promising to me is sysbox[0]. I've used them once for a gitlab runner set-up similar to what is described in their blog[1].
It's currently working great and I have not had any major crashes/incidents for at least the past 8 months.
-
Jenkins in Docker: Running Docker in a Jenkins container
Today, things are very different. Docker-in-Docker has a more secure and safe approach with rootless containers and freemium tools like sysbox. Tools like sysbox let you run Docker-in-Docker without the -privileged flag and optimizes specific scenarios, like running multiple nodes of a Kubernetes cluster as ordinary containers.
-
Run untrusted code in sandbox
Right now I am going with sysbox rootless containers. https://github.com/nestybox/sysbox
-
Real-world stories of how we’ve compromised CI/CD pipelines
We’ve been using Sysbox (https://github.com/nestybox/sysbox) for our Buildkite based CI/CD setup, allows docker-in-docker without privileged containers. Paired with careful IAM/STS design we’ve ended up with isolated job containers with their own IAM roles limited to least-privilege.
-
Individual Docker Desktops vs hosting on a server?
A good alternative to the VM approach is to use Kubernetes + Sysbox (a next-gen "runc", free, open-source).
- Sysbox now works on K8s v1.21
-
Does running a container with privileged mode turn on allow code to escape into the Host ?
But nowadays there is an option to run such software in containers securely. It's called Sysbox, and it's a new "runc" (the piece of software that creates the containers). I am one of the developers, so I am biased, but I think you'll find it helpful.
piston
-
Ask HN: Secure Python code execution environment
and public reviews (as well as reviews on similar approaches [1]), the approach does not seem to satisfy my requirements. After some additional searching, I found a possible dockerized solution:
https://github.com/engineer-man/piston
I want to ask the HN community if anybody has experience in this problem space and what solutions they would suggest. Is the Piston's dockerized approach secure enough to be used in production systems?
I would really appreciate any insights anyone could provide.
-
[leetcode Java] I am working on problem 1603. Design Parking System, but am unable to see why inclusion of if/else statements are effecting runtime
Anything in the milliseconds is pretty large for fast languages, so I think it could be something to do with the way that they sandbox submissions. Ultimately I dunno, but it is interesting to speculate how they do it, maybe some cheesed Linux containers like piston / https://github.com/engineer-man/piston or something. Heavily altered runtime could swing a few ms here or there, so that's the logic for not relying on Leetcode for accurate assumptions, I guess
-
Can anyone tell me why it'd be a bad idea to open up my filesystem to read-only SSH access from the internet?
If you're deadset on the absurd madness you can attempt to use a community "punching bag" container, like https://github.com/engineer-man/piston, something like that or a honeypot that's tuned to resist abuses of the infra. But that way lies pain, lots of pain and dogecoin miners, rats, and trojans. Regular precautions won't be enough, and even a locked-down container/VM is likely only a matter of time. Decent hackers' bots are gonna run down a giant list of stuff from metasploit and there's probably something in open-enough userland that can be abused for escape.
-
How can I build an automated code testing platform?
I don't know if there is any resource availible to read specifically for this problem. But here is what I found on a quick google search: https://github.com/engineer-man/piston
-
[AskJS] Suggest me some online Code execution engine
I found some open-source projects like piston and Judge0. But there are some limitations like the number of requests per second, etc.
-
YouBit - Host any file on YouTube for free
You should consider using something like piston. This way they can run code in a sandboxed way and you don’t have to worry. You can host it yourself and let them use that which probably yields the best results but there is also a free hosted version you can use. You could even make a simple website wrapper for the students to use to run their code.
-
A project of mine called Notium, a notetaking app for CS students
The code runner is https://github.com/engineer-man/piston
-
How to build a codecademy clone that runs code in the browser?
Biggest one: https://github.com/engineer-man/piston Made with Go lang: https://github.com/ranna-go/ranna Something here: https://github.com/jakhax/sandman
-
A Python Jupyter Kernel in Slack. Just send Python code as a message!
why not use a secure code execution engine like python-discord/snekbox or engineer-man/piston though?
- A High Performance Code Execution Engine
What are some alternatives?
kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
snekbox - Easy, safe evaluation of arbitrary Python code
containerd - An open and reliable container runtime
asteval - minimalistic evaluator of python expression using ast module
dind - Docker in Docker
pyodide - Pyodide is a Python distribution for the browser and Node.js based on WebAssembly
gvisor - Application Kernel for Containers
compilers - 📦 Docker image with installed compilers, interpreters and sandbox.
gatekeeper - 🐊 Gatekeeper - Policy Controller for Kubernetes
sandman - execute and test code of various languages within a sandbox runtime that provides a virtualized container environment.
shelljs - :shell: Portable Unix shell commands for Node.js