modify repo and docs for lxc only

api/main.go

@@ -6,10 +6,8 @@ import (
     "fmt"
     "io/ioutil"
     "net/http"
-    "os"
     "os/exec"
     "strings"
-    "strconv"
     "time"
 )
 
@@ -25,7 +23,6 @@ type problem struct {
 }
 
 type outbound struct {
-    Generator string  `json:"instance"`
     Ran       bool    `json:"ran"`
     Output    string  `json:"output"`
 }
@@ -35,15 +32,6 @@ var instance int
 func main() {
     port := 2000
 
-    if len(os.Args) > 1 {
-        if i, err := strconv.Atoi(os.Args[1]); err == nil {
-            instance = i
-            port += i
-        }
-    } else {
-        instance = 0
-    }
-
     fmt.Println("starting api on port", port)
 
     http.HandleFunc("/execute", Execute)
@@ -111,13 +99,7 @@ func launch(request inbound, res http.ResponseWriter) {
     args = append(args, strings.Join(request.Args, "\n"))
 
     // set up the execution
-    //cmd := exec.Command("../docker/execute", args...)
     cmd := exec.Command("../lxc/execute", args...)
-    cmd.Env = os.Environ()
-
-    if instance > 0 {
-        cmd.Env = append(cmd.Env, fmt.Sprintf("SOCKET=unix:///var/run/docker-%d.sock", instance))
-    }
 
     // capture out/err
     var stdout, stderr bytes.Buffer
@@ -128,7 +110,6 @@ func launch(request inbound, res http.ResponseWriter) {
 
     // prepare response
     outbound := outbound{
-        Generator: fmt.Sprintf("docker-%d", instance),
         Ran: err == nil,
         Output: strings.TrimSpace(stdout.String()),
     }

docker/Dockerfile

@@ -1,19 +0,0 @@
-FROM ubuntu:18.04
-
-WORKDIR /tmp
-
-RUN useradd -m runner
-
-RUN echo 'runner soft nproc 256' >> /etc/security/limits.conf
-RUN echo 'runner hard nproc 256' >> /etc/security/limits.conf
-RUN echo 'runner soft nofile 4096' >> /etc/security/limits.conf
-RUN echo 'runner hard nofile 4096' >> /etc/security/limits.conf
-
-RUN sed -i 's/http:\/\/archive.ubuntu.com\/ubuntu\//http:\/\/mirror.math.princeton.edu\/pub\/ubuntu\//' /etc/apt/sources.list
-RUN apt-get update && \
-    echo "tzdata tzdata/Areas select America" > /tmp/tzseed.txt; \
-    echo "tzdata tzdata/Zones/America select Chicago" >> /tmp/tzseed.txt; \
-    debconf-set-selections /tmp/tzseed.txt && \
-    apt-get install -y tzdata && \
-    rm /tmp/tzseed.txt && \
-    apt-get -y install nano dpkg-dev build-essential python python3 ruby nodejs golang php7.2 r-base mono-complete nasm openjdk-8-jdk

docker/build

@@ -1,3 +0,0 @@
-#!/usr/bin/env bash
-
-docker build -t piston .

docker/execute

@@ -1,94 +0,0 @@
-#!/usr/bin/env bash
-
-dir="$( cd "$( dirname "$0" )" && pwd )"
-
-if [ -z "$1" ]; then
-    echo "invalid args"
-    exit
-fi
-if [ -z "$2" ]; then
-    echo "invalid args"
-    exit
-fi
-
-lang=$1
-filepath=$(realpath $2)
-file=$(basename $2)
-argpath="/tmp/$(date +%s%N).args"
-arg=$(basename $argpath)
-socket=${SOCKET:-unix:///var/run/docker.sock}
-
-# write arg file
-echo "${@:3}" > $argpath
-
-bin=
-case "$lang" in
-"python2")
-    bin=executor_python2
-    ;;
-"python" | "python3")
-    bin=executor_python3
-    ;;
-"ruby")
-    bin=executor_ruby
-    ;;
-"javascript" | "js" | "node")
-    bin=executor_node
-    ;;
-"c")
-    bin=executor_c
-    ;;
-"cpp" | "c++")
-    bin=executor_cpp
-    ;;
-"go")
-    bin=executor_go
-    ;;
-"c#" | "csharp" | "cs")
-    bin=executor_csharp
-    ;;
-"r")
-    bin=executor_r
-    ;;
-"php")
-    bin=executor_php
-    ;;
-"nasm" | "asm")
-    bin=executor_nasm
-    ;;
-"java")
-    bin=executor_java
-    ;;
-*)
-    echo "invalid language"
-    exit
-esac
-
-docker \
-    -H $socket \
-    run \
-    -m 64m \
-    --network none \
-    --rm \
-    --log-driver none \
-    -v $filepath:/$file:ro \
-    -v $argpath:/$arg:ro \
-    -v $dir/executors/python2:/executor_python2:ro \
-    -v $dir/executors/python3:/executor_python3:ro \
-    -v $dir/executors/ruby:/executor_ruby:ro \
-    -v $dir/executors/node:/executor_node:ro \
-    -v $dir/executors/c:/executor_c:ro \
-    -v $dir/executors/cpp:/executor_cpp:ro \
-    -v $dir/executors/go:/executor_go:ro \
-    -v $dir/executors/csharp:/executor_csharp:ro \
-    -v $dir/executors/r:/executor_r:ro \
-    -v $dir/executors/php:/executor_php:ro \
-    -v $dir/executors/nasm:/executor_nasm:ro \
-    -v $dir/executors/java:/executor_java:ro \
-    piston \
-    runuser \
-        -l runner \
-        -c "bash /$bin /$file $file 2>&1 | head -c 65536"
-
-rm -f /tmp/$file
-rm -f /tmp/$arg

docker/executors/c

@@ -1,2 +0,0 @@
-timeout -s KILL 10 gcc -o binary -x c $1
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' ./binary"

docker/executors/cpp

@@ -1,2 +0,0 @@
-timeout -s KILL 10 g++ -o binary -x c++ $1
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' ./binary"

docker/executors/csharp

@@ -1,3 +0,0 @@
-cp /*.code .
-timeout -s KILL 10 mcs $(echo $1 | sed 's/\///') -out:binary
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' mono binary"

docker/executors/go

@@ -1,5 +0,0 @@
-cp /*.code interim.go
-file="interim.go"
-timeout -s KILL 10 go build $file
-file=${file%%.*}
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' ./$file"

docker/executors/java

@@ -1,5 +0,0 @@
-cp /*.code interim.java
-name=$(cat interim.java | grep -Eo 'public\s+class\s+([A-Za-z0-9]+)' | sed -n 's/  */ /gp' | cut -d' ' -f3)
-mv interim.java $name.java
-timeout -s KILL 10 javac $name.java
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' java $name"

docker/executors/nasm

@@ -1,3 +0,0 @@
-timeout -s KILL 10 nasm -f elf64 -o binary.o $1
-timeout -s KILL 10 ld binary.o -o binary
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' ./binary"

docker/executors/node

@@ -1 +0,0 @@
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' nodejs $1"

docker/executors/php

@@ -1 +0,0 @@
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' php $1"

docker/executors/python2

@@ -1 +0,0 @@
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' python2 $1"

docker/executors/python3

@@ -1 +0,0 @@
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' python3.6 $1"

docker/executors/r

@@ -1 +0,0 @@
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' Rscript $1"

docker/executors/ruby

@@ -1 +0,0 @@
-timeout -s KILL 3 bash -c "cat /*.args | xargs -d '\n' ruby $1"

lxc/notes.txt

@@ -1,38 +0,0 @@
-# install
-yum install lxc lxc-templates debootstrap libvirt
-
-# create container
-lxc-create -t download -n piston
-select ubuntu, bionic, amd64
-
-# start container
-lxc-start -n piston -d
-
-# shell in and install stuff
-lxc-attach -n piston
-export PATH=/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin
-sed -i 's/http:\/\/archive.ubuntu.com\/ubuntu/http:\/\/mirror.math.princeton.edu\/pub\/ubuntu/' /etc/apt/sources.list
-apt-get update
-apt-get -y install git tzdata nano dpkg-dev build-essential python python3 ruby nodejs golang php7.2 r-base mono-complete nasm openjdk-8-jdk
-apt-get -y install ubuntu-make
-umake swift
-set dir to /opt/swift/swift-lang
-ln -s /opt/swift/swift-lang/usr/bin/swift /usr/bin/swift
-
-
-# create users and apply limits
-for i in {1..150}; do
-    #userdel runner$i
-    useradd -M runner$i
-    usermod -d /tmp runner$i
-    echo "runner$i soft nproc 64" >> /etc/security/limits.conf
-    echo "runner$i hard nproc 64" >> /etc/security/limits.conf
-    echo "runner$i soft nofile 2048" >> /etc/security/limits.conf
-    echo "runner$i hard nofile 2048" >> /etc/security/limits.conf
-done
-
-# remove home dir
-rm -rf /home/ubuntu
-
-# set tmp
-chmod 755 /tmp

readme.md

@@ -4,42 +4,85 @@ from from EMKC contests and challenges. It's also used in the Engineer Man Disco
 [felix bot](https://github.com/engineer-man/felix).
 
 #### Installation
-- Install Docker https://www.docker.com/get-started
-- `git clone https://github.com/engineer-man/piston`
-- `cd piston/docker`
-- `./build`
+```
+# clone and enter repo
+git clone https://github.com/engineer-man/piston
+cd piston/lxc
+
+# install dependencies
+
+# centos:
+yum install epel-release
+yum install lxc lxc-templates debootstrap libvirt
+
+# everything else:
+# not documented, please open pull requests with commands for ubuntu/debian/arch/macos
+
+# start libvirtd
+systemctl start libvirtd
+
+# create and start container
+lxc-create -t download -n piston -- --dist ubuntu --release bionic --arch amd64
+./start
+
+# open a shell to the containr
+./shell
+
+# install all necessary piston dependencies
+export PATH=/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin
+sed -i 's/http:\/\/archive.ubuntu.com\/ubuntu/http:\/\/mirror.math.princeton.edu\/pub\/ubuntu/' /etc/apt/sources.list
+apt-get update
+apt-get -y install git tzdata nano \
+    dpkg-dev build-essential python python3 \
+    ruby nodejs golang php7.2 r-base mono-complete \
+    nasm openjdk-8-jdk ubuntu-make
+# IMPORTANT: set dir to /opt/swift/swift-lang
+umake swift
+ln -s /opt/swift/swift-lang/usr/bin/swift /usr/bin/swift
+rm -rf /home/ubuntu
+chmod 777 /tmp
+
+# create runnable users and apply limits
+for i in {1..150}; do
+    useradd -M runner$i
+    usermod -d /tmp runner$i
+    echo "runner$i soft nproc 64" >> /etc/security/limits.conf
+    echo "runner$i hard nproc 64" >> /etc/security/limits.conf
+    echo "runner$i soft nofile 2048" >> /etc/security/limits.conf
+    echo "runner$i hard nofile 2048" >> /etc/security/limits.conf
+done
+
+# leave container
+exit
+
+# optionally run tests
+cd ../tests
+./test_all_lxc
+```
 
 #### Usage
-- `docker/execute [language] [path] [arg]...`
+- `lxc/execute [language] [path] [arg]...`
 
 #### Supported Languages
 Currently python2, python3, c, c++, go, node, ruby, r, c#, nasm, php, and java is supported.
 
 #### Principle of Operation
-Piston utilizes Docker as the primary mechanism for sandboxing. There is a small API written in Go which takes
-in execution requests and spawns new containers to execute the source from that request. High level, the API writes
-a temporary source file to `/tmp` and that gets mounted read-only along with the execution scripts into the container.
+Piston utilizes LXC as the primary mechanism for sandboxing. There is a small API written in Go which takes
+in execution requests and executes them in the container. High level, the API writes
+a temporary source and args file to `/tmp` and that gets mounted read-only along with the execution scripts into the container.
 The source file is either ran or compiled and ran (in the case of languages like c, c++, c#, go, etc.).
 
 #### Security
-Docker provides a great deal of security out of the box. Piston takes additional steps to make it resistant to
+LXC provides a great deal of security out of the box in that it's separate from the system.
+Piston takes additional steps to make it resistant to
 various privilege escalation, denial-of-service, and resource saturation threats. These steps include:
 - Disabling outgoing network interaction
-- Capping memory at 64mb (resists RAM saturation)
 - Capping max processes at 16 (resists `:(){ :|: &}:;`, `while True: os.fork()`, etc.)
 - Capping max files at 256 (resists various file based attacks)
 - Mounting all resources read-only (resists `sudo rm -rf --no-preserve-root /`)
 - Capping runtime execution at 3 seconds
 - Capping stdout to 65536 characters (resists yes/no bombs and runaway output)
 - SIGKILLing misbehaving code
-- Disabling journald logs (resists log flood)
-
-#### Performance
-One thing that needs investigation is how to spawn containers faster. The Docker daemon is synchronous in its
-container spawning. This means the bottleneck for code execution is how fast containers can start. Environments
-vary, but, in ours they start at a rate of no more than 1-2 per second. One possibility is Docker in Docker where by
-X number of containers stay running all the time and then requests are delivered to each in a round robin and spawn
-new Piston containers.
 
 #### License
 Piston is licensed under the MIT license.

tests/test.bf

@@ -0,0 +1 @@
++[----->+++<]>.++++++++..-----------.

tests/test_all_lxc

@@ -24,3 +24,5 @@ echo 'testing r'
 ../lxc/execute r test.r
 echo 'testing ruby'
 ../lxc/execute ruby test.rb
+echo 'testing brainfuck'
+../lxc/execute bf test.bf

var/dock@.service

@@ -1,45 +0,0 @@
-[Unit]
-Description=Docker Application Container Engine
-Documentation=http://docs.docker.com
-After=network.target
-Wants=docker-storage-setup.service
-Requires=docker-cleanup.timer
-
-[Service]
-Type=notify
-NotifyAccess=main
-EnvironmentFile=-/run/containers/registries.conf
-EnvironmentFile=-/etc/sysconfig/docker
-EnvironmentFile=-/etc/sysconfig/docker-storage
-EnvironmentFile=-/etc/sysconfig/docker-network
-Environment=GOTRACEBACK=crash
-Environment=DOCKER_HTTP_HOST_COMPAT=1
-Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
-ExecStart=/usr/bin/dockerd-current \
-          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
-          --default-runtime=docker-runc \
-          --exec-opt native.cgroupdriver=systemd \
-          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
-          --init-path=/usr/libexec/docker/docker-init-current \
-          --seccomp-profile=/etc/docker/seccomp.json \
-          --exec-root=/var/run/docker-%i \
-          --graph=/var/lib/docker-%i \
-          --host unix:///var/run/docker-%i.sock \
-          --pidfile /var/run/docker-%i.pid \
-          $OPTIONS \
-          $DOCKER_STORAGE_OPTIONS \
-          $DOCKER_NETWORK_OPTIONS \
-          $ADD_REGISTRY \
-          $BLOCK_REGISTRY \
-          $INSECURE_REGISTRY \
-          $REGISTRIES
-ExecReload=/bin/kill -s HUP $MAINPID
-LimitNOFILE=1048576
-LimitNPROC=1048576
-LimitCORE=infinity
-TimeoutStartSec=0
-Restart=on-abnormal
-KillMode=process
-
-[Install]
-WantedBy=multi-user.target

var/multidock

@@ -1,3 +0,0 @@
-#!/usr/bin/env bash
-
-docker -H unix:///var/run/docker-$1.sock ${@:2}

var/notes.txt

@@ -1,25 +0,0 @@
-create vm
-git piston
-
-install dock and piston units
-systemctl enable dock@{1..10}.service
-systemctl start dock@{1..10}.service
-systemctl enable piston@{1..10}.service
-systemctl start piston@{1..10}.service
-
-install nginx config
-
-export image:
-./multidock 1 save -o piston.tar piston:latest
-
-copy in image:
-./multidock 1 load -i piston.tar
-./multidock 2 load -i piston.tar
-./multidock 3 load -i piston.tar
-./multidock 4 load -i piston.tar
-./multidock 5 load -i piston.tar
-./multidock 6 load -i piston.tar
-./multidock 7 load -i piston.tar
-./multidock 8 load -i piston.tar
-./multidock 9 load -i piston.tar
-./multidock 10 load -i piston.tar

var/piston.nginx

@@ -1,21 +0,0 @@
-upstream piston {
-    server 127.0.0.1:2001;
-    server 127.0.0.1:2002;
-    server 127.0.0.1:2003;
-    server 127.0.0.1:2004;
-    server 127.0.0.1:2005;
-    server 127.0.0.1:2006;
-    server 127.0.0.1:2007;
-    server 127.0.0.1:2008;
-    server 127.0.0.1:2009;
-    server 127.0.0.1:2010;
-}
-
-server {
-    listen 1337;
-
-    location / {
-        proxy_buffering off;
-        proxy_pass http://piston;
-    }
-}

var/piston.service

@@ -1,12 +1,12 @@
 [Unit]
-Description=Piston API
+Description=Piston
 
 [Service]
 Type=simple
 User=root
-Environment=PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
+Environment=PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/local/go/bin
 WorkingDirectory=/root/piston/api
-ExecStart=/root/piston/api/start %i
+ExecStart=/root/piston/api/start
 Restart=on-failure
 
 [Install]

var/start_piston

@@ -1,22 +0,0 @@
-#!/usr/bin/env bash
-
-systemctl start piston@1.service
-systemctl start piston@2.service
-systemctl start piston@3.service
-systemctl start piston@4.service
-systemctl start piston@5.service
-systemctl start piston@6.service
-systemctl start piston@7.service
-systemctl start piston@8.service
-systemctl start piston@9.service
-systemctl start piston@10.service
-systemctl start dock@1.service
-systemctl start dock@2.service
-systemctl start dock@3.service
-systemctl start dock@4.service
-systemctl start dock@5.service
-systemctl start dock@6.service
-systemctl start dock@7.service
-systemctl start dock@8.service
-systemctl start dock@9.service
-systemctl start dock@10.service

var/stop_piston

@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-
-systemctl stop piston@{1..10}.service
-systemctl stop dock@{1..10}.service