50 minutes
Intermediate
English
Running code from untrusted sources inside your application is risky. Even the most well-intended code can mess up the internals of your application and malicious code can compromise your system.
Linux Containers (also known as LXC) provides namepace isolation to completely isolate a process tree's view of the operating environment, including process trees, network interfaces, user IDs and mounted file systems. This provides the means for creating a sandbox with very low overhead to run code in.
This talk will consist of an introduction to LXC, a discussion of how to use LXC and existing Perl modules to safely run untrusted code and a presentation of some use cases.
Most of the talk will focus on LXC, but most ideas should be easily applicable to other systems like FreeBSD Jails or Solaris Zones.