isolated 0.2.0

Child-process container for Linux hosts
Documentation
  • Coverage
  • 71.43%
    5 out of 7 items documented0 out of 4 items with examples
  • Size
  • Source code size: 22.11 kB This is the summed size of all the files inside the crates.io package for this release.
  • Documentation size: 1.07 MB This is the summed size of all files generated by rustdoc for all configured targets
  • Ø build duration
  • this release: 21s Average build duration of successful builds.
  • all releases: 21s Average build duration of successful builds in releases after 2024-10-23.
  • Links
  • crates.io
  • Dependencies
  • Versions
  • Owners
  • Dentosal

isolated - a child-process container for Rust on Linux

crates.io badge docs.rs badge

Sets up following limits:

  • Limits filesystem access with pivot_root and overlayfs, making it possible to only read a fabricated read-only root filesystem (usually from Alpine minirootfs) and a single directory (writedir) that is shared between the host and the container.
  • Limits network access using a network namespace. Currently access to other networks is simply disabled. In the future it should be interesting to implement a proper access control using VETH interfaces.
  • Disables access to host pids and mounts using namespaces.

API stability

Not yet, although I will not be making major breaking changes without incrementing 0.x version.

Running an example

Note that running this requires root privileges, as setting up namespaces cannot be done otherwise. This repository contains a .cargo/config that uses sudo -E with all cargo runners.

Firstly, download alpine minirootfs and extract that (using ./download-rootfs.sh works).

Then cargo run --example shell gives you an isolated interactive shell. See the source code for the example.

License

MIT