Process isolation for Linux using namespaces, resource limits and seccomp. It works by creating a new, completely empty, mount namespace where the root is on a tmpfs that is invisible from the host, and will be automatically cleaned up when the last process exits.
- Install libseccomp by following this guide.
- Install the rust toolchain in order to have cargo installed by following this guide.
- Run
cargo install hakoniwa-cli.
$ hakoniwa run -- sh
sh: cannot set terminal process group (-1): Inappropriate ioctl for device
sh: no job control in this shell
sh-5.2$ pwd
/
sh-5.2$ ls
bin etc lib lib64 proc sbin usr
sh-5.2$ ls /proc
1 bus crypto execdomains ioports kmsg meminfo net self sysrq-trigger version
3 cgroups devices fb irq kpagecgroup misc pagetypeinfo slabinfo sysvipc vmallocinfo
acpi cmdline diskstats filesystems kallsyms kpagecount modules partitions softirqs thread-self vmstat
asound config.gz dma fs kcore kpageflags mounts pressure stat timer_list zoneinfo
bootconfig consoles driver interrupts key-users loadavg mtd schedstat swaps tty
buddyinfo cpuinfo dynamic_debug iomem keys locks mtrr scsi sys uptime
sh-5.2$ exit
exit
More examples can be found in hakoniwa-cli/examples.
The code below is almost eq to hakoniwa run -- sh:
use hakoniwa::Container;
fn main() {
_ = Container::new() // Create Container with new namespaces via unshare
.rootfs("/") // Mount necessary directories, e.g. `/bin`
.command("/bin/sh") // Create Command
.status() // Execute
.expect("failed to execute process witnin container");
}More examples can be found in hakoniwa/examples.
- Special thanks to bubblewrap.
The CLI is licensed under the GPL-3.0-only.
The Library is licensed under the LGPL-3.0-linking-exception.