Docker Community Forums

Share and learn in the Docker community.

Is docker suitable for running untrusted code?

docker

(Anik786) #1

I want to create a educational web app that compiles and runs code for the user similar to: https://ideone.com/

Thus I need a secure sandboxing technique.
Ideally I would use VM, but creating a fresh VM for each and every submission may take too long to startup and boot.

Is docker suitable for this (as I have heard others using docker for similar purposes)?

If not, is there a suitable alternative?


(Anik786) #2

So still no replies…


(Nathan Le Claire) #3

As with any security question, the answer is more complex than “safe” vs. “not safe” and requires a thorough look around your threat profile vs. how much risk you’re willing to tolerate.

If you run the containers as non-root users (or do user namespace remapping) and don’t do anything exposing the host directly such as bind mounts, then the risk profile of the untrusted code processes themselves is lower, but there is still risk.

Your main attack vector is probably the kernel itself. Additional attacks such as fork bombs, DDoS, etc. will also be easier due to you directly exposing the ability to run code to the end user. Are you willing to be vigilant in staying on top of CVEs as they are released, upgrading, and monitoring all of your systems to prevent these kinds of attacks?


(Anik786) #4

Interesting response.

Safe vs Unsafe
I understand that there is no such thing as completely safe. Even opening a webpage can be regarded as unsafe. I simply want to find a relatively secure way of compiling and running untrusted code. Hence, I wish to know if Docker is suitable for this and if I need to use any further hardening techniques.

Risk Profile
Being an educational site, the type of hackers expected are probably those who just want to cause damage for the sake of damage.

As the untrusted code is run on a separate server within a docker, even if the user somehow gets out of the docker, it will only be able to get access to that server. Considering there is nothing else on that server, the only damage they should be able to do is affecting the running and compiling aspect of the application.

Your Answer
From your answer it seems that your saying Docker may be suitable provided I run the container as non-root, don’t expose the host directly and update regularly. There is still a risk however (however I assume there will of course be some risks for a task such as this).

Am I correct in this understanding?
Also is there any further suggestions in how I can achieve my goal in the most secure manner possible?


(Nathan Le Claire) #5

Just want to make sure that you understand the risks. Some, such as https://runnable.io, are already doing simliar things today. At the end of the day, it’s your own risk/reward decision.

Following the advice at https://docs.docker.com/engine/security/security/ will lead you to a better setup than the default, especially if you enable grsec / AppArmor. Use --cap-drop to your advantage. Never, ever run untrusted code with flags such as --privileged.

You can also take extra steps to limit the scope of what the containers are actually capable of as much as possible. e.g. if you just need to compile some code use a minimal distro like alpine with only the binaries / files you need to get the job done and turn off network egress/ingress from the containers that you run (--net none).

Once again, stay on top of CVEs / patches needed for the host system.

Hope this helps. Good luck and godspeed.


(Nathan Le Claire) #6

Oh, and also keep in mind flags such as --memory-reservation that limit resource usage of containers.