Sandbox-Guide/scripts/setup-cgroups.sh at main · NeaByteLab/Sandbox-Guide · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/bin/bash
# Setup cgroups for sandbox container

CONTAINER_ID=$1

# Create cgroup directories
mkdir -p /sys/fs/cgroup/memory/sandbox/container_${CONTAINER_ID}
mkdir -p /sys/fs/cgroup/cpu/sandbox/container_${CONTAINER_ID}
mkdir -p /sys/fs/cgroup/cpuacct/sandbox/container_${CONTAINER_ID}
mkdir -p /sys/fs/cgroup/pids/sandbox/container_${CONTAINER_ID}
mkdir -p /sys/fs/cgroup/devices/sandbox/container_${CONTAINER_ID}

# Memory limits (4GB)
echo 4294900000 > /sys/fs/cgroup/memory/sandbox/container_${CONTAINER_ID}/memory.limit_in_bytes
echo 4294900000 > /sys/fs/cgroup/memory/sandbox/container_${CONTAINER_ID}/memory.memsw.limit_in_bytes
echo 1 > /sys/fs/cgroup/memory/sandbox/container_${CONTAINER_ID}/memory.oom_control

# CPU limits
echo 1024 > /sys/fs/cgroup/cpu/sandbox/container_${CONTAINER_ID}/cpu.shares
echo 200000 > /sys/fs/cgroup/cpu/sandbox/container_${CONTAINER_ID}/cpu.cfs_quota_us
echo 100000 > /sys/fs/cgroup/cpu/sandbox/container_${CONTAINER_ID}/cpu.cfs_period_us

# PID limits
echo 100 > /sys/fs/cgroup/pids/sandbox/container_${CONTAINER_ID}/pids.max

# Device whitelist
cat > /sys/fs/cgroup/devices/sandbox/container_${CONTAINER_ID}/devices.allow << 'DEVICES'
c 1:3 rwm    # /dev/null
c 1:5 rwm    # /dev/zero
c 1:7 rwm    # /dev/full
c 1:8 rwm    # /dev/random
c 1:9 rwm    # /dev/urandom
c 5:0 rwm    # /dev/tty
c 5:2 rwm    # /dev/ptmx
c 136:* rwm  # /dev/pts/*
DEVICES

echo "Cgroups configured for container ${CONTAINER_ID}"