# `isolated` - a child-process container for Rust on Linux
[](https://crates.io/crates/isolated)
[](https://docs.rs/isolated/)
Sets up following limits:
* Limits filesystem access with `pivot_root` and `overlayfs`, making it possible to only read a fabricated read-only root filesystem (usually from Alpine minirootfs) and a single directory (`writedir`) that is shared between the host and the container.
* Limits network access using a network namespace. Currently access to other networks is simply disabled. In the future it should be interesting to implement a proper access control using VETH interfaces.
* Disables access to host pids and mounts using namespaces.
## API stability
Not yet, although I will not be making major breaking changes without incrementing `0.x` version.
## Running an example
Note that running this requires root privileges, as setting up namespaces cannot be done otherwise. This repository contains a `.cargo/config` that uses `sudo -E` with all cargo runners.
Firstly, download alpine minirootfs and extract that (using [`./download-rootfs.sh`](download-rootfs.sh) works).
Then `cargo run --example shell` gives you an isolated interactive shell. See [the source code for the example](examples/shell.rs).
## License
MIT