Docker-based engine for executing untrusted code in isolated containers.
- HTTP API for code execution in disposable containers
- JSON-based stdin/stdout communication
- Per-container resource isolation and limits
- Optional gVisor runtime support
| Method | Route | Auth Required | Purpose |
|---|---|---|---|
| GET | / | No | Service info |
| GET | /version | Yes | Docker info |
| POST | /run | Yes | Execute code |
Standard Runtime:
Python: 250-350ms
C: 330-430ms
Haskell: 500-700ms
Java: 2000-2200ms
With gVisor:
Python: 450-570ms
C: 1300-1500ms
Haskell: 1760-2060ms
Java: 4570-4800ms
- Process limits (fork bomb protection)
- Execution timeouts
- Output size caps
- Memory limits
- Network isolation (optional)
- Capability dropping
- gVisor runtime (optional)
curl -fsSL https://raw.githubusercontent.com/toolkithub/rce-engine/main/scripts/install.sh -o install.sh
sudo bash ./install.shRequired Environment Variables:
SERVER_* - HTTP server settings
API_ACCESS_TOKEN - Authentication
DOCKER_* - Container config
RUN_MAX_* - Execution limits
Optional:
DOCKER_CONTAINER_READONLY_ROOTFS - Read-only root
DOCKER_CONTAINER_TMP_DIR_* - Temp directory settings
DOCKER_CONTAINER_WORK_DIR_* - Work directory config
DEBUG_KEEP_CONTAINER - Debug mode
- Store sensitive data on separate machines
- Docker containers have lower isolation than VMs
- Use provided security controls based on threat model
- Consider network isolation and capability dropping
Q: How are fork bombs handled?
A: DOCKER_CONTAINER_ULIMIT_NPROC_HARD limits process creation
Q: How are infinite loops handled?
A: RUN_MAX_EXECUTION_TIME enforces execution timeout
Q: How is large output handled?
A: RUN_MAX_OUTPUT_SIZE caps output size
Q: How is high memory usage handled?
A: DOCKER_CONTAINER_MEMORY sets memory limits
- Systemd service (recommended)
- Docker container
- With gVisor runtime
Docs: See /docs/install/ for detailed setup guides