API for creating Docker jails to run untrusted code.
Bay is a golang library/server to expose a simple API to run untrusted code in a Docker container. Obviously, this means it is Linux only and all the security concerns around running untrusted code in a Linux contianer still apply. It currently supports images for Go, Ruby, Python, C, C++, Perl, asf, so on so forth. If you plan on using it create several dockers at once, I would suggest you use docker swarm. This is easy to do in Bay and takes one configuration option listed below. You will also want to follow the best practices for setting up docker swarm as well (TLS and such).
Can't stress this enough. YOU need to make sure you follow the best practices for running Linux containers. This library does not magically lock down your containers in a complete safe and isolated manner. Bay is only as strong as Docker. Checkout these resources regarding Docker security.
- The Docker Security article from Docker.io.
- The LXC, Docker, Security slides from Jérôme Petazzoni.
- The series of Docker security articles from Daniel J. Walsh (one, two).
- The Linux Audit for some additional best practices.
go get github.com/Vluxe/bay
things...
Bay is licensed under Apache v2.
...