X-Git-Url: http://mj.ucw.cz/gitweb/?a=blobdiff_plain;f=isolate%2Fisolate.1.txt;h=8fd8f24cd2164b873c446d85ce834300f72efcff;hb=16beedc9ee732c588a2ae9ade21c75f11ff9a0b8;hp=0e7952a31a61771886ce52e44093006fb9266985;hpb=a5ee18acd75108983b5e92d6f356dab4dc3ec3d4;p=moe.git diff --git a/isolate/isolate.1.txt b/isolate/isolate.1.txt index 0e7952a..8fd8f24 100644 --- a/isolate/isolate.1.txt +++ b/isolate/isolate.1.txt @@ -67,6 +67,11 @@ OPTIONS is reported, even though it slightly exceeds the limit. Fractional numbers are again allowed. +*-b, --box-id=*'id':: + When you run multiple sandboxes in parallel, you have to assign each unique + IDs to them by this option. See the discussion on UIDs in the INSTALLATION + section. The ID defaults to 0. + *-k, --stack=*'size':: Limit process stack to 'size' kilobytes. By default, the whole address space is available for the stack, but it is subject to the *--mem* limit. @@ -87,6 +92,10 @@ OPTIONS Redirect standard error output to 'file'. The 'file' has to be accessible inside the sandbox. +*-c, --chdir=*'dir':: + Change directory to 'dir' before executing the program. This path must be + relative to the root of the sandbox. + *-p, --processes*[*=*'max']:: Permit the program to create up to 'max' processes and/or threads. Please keep in mind that time and memory limit do not work with multiple processes @@ -164,7 +173,7 @@ to constrain programs consisting of multiple processes. Please note that this feature needs special system setup described in the REQUIREMENTS section. -*-c, --cg*:: +*--cg*:: Enable use of control groups. *--cg-mem=*'size':: @@ -217,7 +226,7 @@ When the program inside the sandbox finishes correctly, the sandbox returns 0. If it finishes incorrectly, it returns 1. All other return codes signal an internal error. -REQUIREMENTS +INSTALLATION ------------ Isolate depends on several advanced features of the Linux kernel. Please make sure that your kernel supports @@ -229,6 +238,19 @@ the cpusets (+CONFIG_CPUSETS+), CPU accounting controller (+CONFIG_CGROUP_CPUACCT+), and memory resource controller (+CONFIG_CGROUP_MEM_RES_CTLR+). +Isolate is designed to run setuid to root. The sub-process inside the sandbox +then switches to a non-privileged user ID (different for each *--box-id*). +The range of UIDs available and several filesystem paths are embedded in the +isolate's binary during compilation; please see +default.cfg+ in the source +tree for description. + +Before you run isolate with control groups, you have to mount the control group +filesystem. Most modern Linux distributions use libcgroup, which mounts a tmpfs +at /sys/fs/cgroup, with individual controllers mounted within subdirectories. +It is recommended to use your distribution's cgroup configuration support. +Debian-based distributions have a choice of the cgroup-lite or cgroup-bin +packages; Red Hat-based distributions provide the libcgroup package. + LICENSE ------- Isolate was written by Martin Mares and Bernard Blackham.