2 unstable releases
0.2.0 | Jun 30, 2021 |
---|---|
0.1.0 | Jun 19, 2021 |
#972 in Unix APIs
15KB
236 lines
isolated
- a child-process container for Rust on Linux
Sets up following limits:
- Limits filesystem access with
pivot_root
andoverlayfs
, making it possible to only read a fabricated read-only root filesystem (usually from Alpine minirootfs) and a single directory (writedir
) that is shared between the host and the container. - Limits network access using a network namespace. Currently access to other networks is simply disabled. In the future it should be interesting to implement a proper access control using VETH interfaces.
- Disables access to host pids and mounts using namespaces.
API stability
Not yet, although I will not be making major breaking changes without incrementing 0.x
version.
Running an example
Note that running this requires root privileges, as setting up namespaces cannot be done otherwise. This repository contains a .cargo/config
that uses sudo -E
with all cargo runners.
Firstly, download alpine minirootfs and extract that (using ./download-rootfs.sh
works).
Then cargo run --example shell
gives you an isolated interactive shell. See the source code for the example.
License
MIT
Dependencies
~6–15MB
~214K SLoC