diff --git a/lxc/disable_network b/lxc/disable_network new file mode 100755 index 0000000..cd96b6b --- /dev/null +++ b/lxc/disable_network @@ -0,0 +1,2 @@ +iptables -I INPUT -i virbr0 -j REJECT +iptables -I OUTPUT -o virbr0 -j DROP diff --git a/lxc/enable_network b/lxc/enable_network new file mode 100755 index 0000000..78305a7 --- /dev/null +++ b/lxc/enable_network @@ -0,0 +1,2 @@ +iptables -D INPUT -i virbr0 -j REJECT +iptables -D OUTPUT -o virbr0 -j DROP diff --git a/lxc/execute b/lxc/execute index 476d4c8..0fe3ee9 100755 --- a/lxc/execute +++ b/lxc/execute @@ -15,14 +15,13 @@ lang=$1 epoch=$(date +%s%3N) basepath="/var/lib/lxc/piston/rootfs" filepath="/tmp/$epoch/code.code" -file=$(basename $2) argpath="/tmp/$epoch/args.args" arg=$(basename $argpath) # write arg file mkdir -p $basepath/tmp/$epoch chmod 777 $basepath/tmp/$epoch -cat $file > $basepath$filepath +cat $2 > $basepath$filepath echo "${@:3}" > $basepath$argpath bin= @@ -69,7 +68,6 @@ case "$lang" in esac lxc-attach -n piston -- \ - /bin/su ubuntu \ - -c "bash /home/ubuntu/$bin $epoch 2>&1 | head -c 65536" + /bin/bash -c "PATH=/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin bash /exec/$bin $epoch 2>&1 | head -c 65536" rm -rf $basepath/tmp/$epoch diff --git a/lxc/executors/c b/lxc/executors/c index 42de3a1..10a96be 100755 --- a/lxc/executors/c +++ b/lxc/executors/c @@ -1,3 +1,3 @@ cd /tmp/$1 timeout -s KILL 10 gcc -o binary -x c code.code -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary" diff --git a/lxc/executors/cpp b/lxc/executors/cpp index 8535fb5..cbe90ab 100755 --- a/lxc/executors/cpp +++ b/lxc/executors/cpp @@ -1,3 +1,3 @@ cd /tmp/$1 timeout -s KILL 10 g++ -o binary -x c++ code.code -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary" diff --git a/lxc/executors/csharp b/lxc/executors/csharp index 2faa0a4..20691be 100755 --- a/lxc/executors/csharp +++ b/lxc/executors/csharp @@ -1,3 +1,3 @@ cd /tmp/$1 timeout -s KILL 10 mcs $(echo code.code | sed 's/\///') -out:binary -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' mono binary" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' mono binary" diff --git a/lxc/executors/go b/lxc/executors/go index 0f3d4ea..0963669 100755 --- a/lxc/executors/go +++ b/lxc/executors/go @@ -3,4 +3,4 @@ cp code.code interim.go file="interim.go" GOROOT=/usr/lib/go timeout -s KILL 10 go build $file file=${file%%.*} -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./$file" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./$file" diff --git a/lxc/executors/java b/lxc/executors/java index 9a6062d..11b500a 100755 --- a/lxc/executors/java +++ b/lxc/executors/java @@ -3,4 +3,4 @@ cp code.code interim.java name=$(cat interim.java | grep -Eo 'public\s+class\s+([A-Za-z0-9]+)' | sed -n 's/ */ /gp' | cut -d' ' -f3) mv interim.java $name.java timeout -s KILL 10 javac $name.java -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' java $name" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' java $name" diff --git a/lxc/executors/nasm b/lxc/executors/nasm index 446f41e..ebacda1 100755 --- a/lxc/executors/nasm +++ b/lxc/executors/nasm @@ -1,4 +1,4 @@ cd /tmp/$1 timeout -s KILL 10 nasm -f elf64 -o binary.o code.code timeout -s KILL 10 ld binary.o -o binary -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary" diff --git a/lxc/executors/node b/lxc/executors/node index 2688a87..8f88431 100755 --- a/lxc/executors/node +++ b/lxc/executors/node @@ -1,2 +1,2 @@ cd /tmp/$1 -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' nodejs code.code" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' nodejs code.code" diff --git a/lxc/executors/php b/lxc/executors/php index e3b1fab..dc26d43 100755 --- a/lxc/executors/php +++ b/lxc/executors/php @@ -1,2 +1,2 @@ cd /tmp/$1 -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' php code.code" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' php code.code" diff --git a/lxc/executors/python2 b/lxc/executors/python2 index c44cf3c..38f4cf6 100755 --- a/lxc/executors/python2 +++ b/lxc/executors/python2 @@ -1,2 +1,2 @@ cd /tmp/$1 -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' python2 code.code" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' python2 code.code" diff --git a/lxc/executors/python3 b/lxc/executors/python3 index b58104e..e71d7fc 100755 --- a/lxc/executors/python3 +++ b/lxc/executors/python3 @@ -1,2 +1,2 @@ cd /tmp/$1 -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' python3.6 code.code" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' python3.6 code.code" diff --git a/lxc/executors/r b/lxc/executors/r index 6f05be5..39810fd 100755 --- a/lxc/executors/r +++ b/lxc/executors/r @@ -1,2 +1,2 @@ cd /tmp/$1 -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' Rscript code.code" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' Rscript code.code" diff --git a/lxc/executors/ruby b/lxc/executors/ruby index 8f10fc3..f9bd9dd 100755 --- a/lxc/executors/ruby +++ b/lxc/executors/ruby @@ -1,2 +1,2 @@ cd /tmp/$1 -timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ruby code.code" +timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ruby code.code" diff --git a/lxc/notes.txt b/lxc/notes.txt index 179f33d..947db35 100644 --- a/lxc/notes.txt +++ b/lxc/notes.txt @@ -16,11 +16,13 @@ apt-get update apt-get -y install tzdata nano dpkg-dev build-essential python python3 ruby nodejs golang php7.2 r-base mono-complete nasm openjdk-8-jdk # apply limits -echo 'ubuntu soft nproc 128' >> /etc/security/limits.conf -echo 'ubuntu hard nproc 128' >> /etc/security/limits.conf +echo 'ubuntu soft nproc 16' >> /etc/security/limits.conf +echo 'ubuntu hard nproc 16' >> /etc/security/limits.conf echo 'ubuntu soft nofile 1024' >> /etc/security/limits.conf echo 'ubuntu hard nofile 1024' >> /etc/security/limits.conf -echo 'runner soft nproc 16' >> /etc/security/limits.conf -echo 'runner hard nproc 16' >> /etc/security/limits.conf -echo 'runner soft nofile 512' >> /etc/security/limits.conf -echo 'runner hard nofile 512' >> /etc/security/limits.conf + +# remove home dir +rm -rf /home/ubuntu + +# set tmp +chmod 755 /tmp diff --git a/lxc/start b/lxc/start index 1134abe..8f2f7f1 100755 --- a/lxc/start +++ b/lxc/start @@ -1,6 +1,8 @@ #!/usr/bin/env bash -rm -f /var/lib/lxc/piston/rootfs/home/ubuntu/* -cp -f executors/* /var/lib/lxc/piston/rootfs/home/ubuntu +mkdir -p /var/lib/lxc/piston/rootfs/exec +rm -f /var/lib/lxc/piston/rootfs/exec/* +cp -f executors/* /var/lib/lxc/piston/rootfs/exec +chmod 700 /var/lib/lxc/piston/rootfs/exec/* lxc-start -n piston -d