I have recently started using OpenBSD. And I want to create easy fire-and-forget containers/VM or something es (it should be used as a Sandbox).
The user can upload his source code (C++/Java/Perl), it will be compiled on the Server (OpenBSD), if this was successful, it should execute this File and then return the result to the Web page.
How can I provide this in OpenBSD?
Also, should I use chroot, since 'jail' will be removed in 6.0? Or are there other possibilities to create a "sandbox" in OpenBSD?
Currently OpenBSD doesn't support any "chroot on steroid" mechanism. In the past, same jail feature (named sysjail
) was in ports, but removed in 2007 because it was not easy to maintain and pretty insecure. You can find more information about it on stackexchange and with your search engine.
Historically, OpenBSD only support chroot(8)
and work exactly like other system:
# create your target chroot
target="/tmp/chroot"
mkdir ${target}
# now build and install your userland
cd /usr
cvs -qz3 -d${repository} co src -r${openbsd_release}
cd /usr/src
make obj && make && make install DESTDIR=${target}
# in root
chroot /tmp/chroot
# run your daemon here
# note: you need to init also dev directory
# and, eventually, customize /etc/fstab
# /tmp is currently not allowed to have dev on it
# please see fstab(5) man page
Lot of software in base support chroot feature, openntpd
, openssh
, httpd
and many others are configured by default in isolated directory.
Now, since OpenBSD 5.9, you can use vmm(4)
hypervisor and vmctl(8)
in base. You can start your vmd
daemon and create isolated container like any other hypervisor (bhyve, xen or kvm).
# from openbsd vmctl man page example
vmctl create disk.img -s 4.5G
vmctl start "myvm" -m 512M -i 1 -d disk.img -k /bsd
vmctl stop 1
You can also use another approach based on software in ports, qemu
work pretty well but have poor performance on OpenBSD, due to lake of kernel acceleration support and in parts because of filesystem structure.
Now, concerning your main issue (offer a way of remote compiling source code), I guess the better idea is to truly isolate your code from main system, and using something like vmctl
or qemu
could be the good answer. Perhaps qemu would be the better, because you can use standard user to execute it, without kernel feature and with lot of network features, but compilation would be really slow.