From 78095dfa3e5c9f3493286fd647030e6fa65e88f1 Mon Sep 17 00:00:00 2001 From: Martin Mares Date: Mon, 24 Sep 2012 17:45:31 +0200 Subject: [PATCH] Isolate: Document --box-id and installation --- isolate/isolate.1.txt | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/isolate/isolate.1.txt b/isolate/isolate.1.txt index 0e7952a..b3252de 100644 --- a/isolate/isolate.1.txt +++ b/isolate/isolate.1.txt @@ -67,6 +67,11 @@ OPTIONS is reported, even though it slightly exceeds the limit. Fractional numbers are again allowed. +*-b, --box-id=*'id':: + When you run multiple sandboxes in parallel, you have to assign each unique + IDs to them by this option. See the discussion on UIDs in the INSTALLATION + section. The ID defaults to 0. + *-k, --stack=*'size':: Limit process stack to 'size' kilobytes. By default, the whole address space is available for the stack, but it is subject to the *--mem* limit. @@ -217,7 +222,7 @@ When the program inside the sandbox finishes correctly, the sandbox returns 0. If it finishes incorrectly, it returns 1. All other return codes signal an internal error. -REQUIREMENTS +INSTALLATION ------------ Isolate depends on several advanced features of the Linux kernel. Please make sure that your kernel supports @@ -229,6 +234,15 @@ the cpusets (+CONFIG_CPUSETS+), CPU accounting controller (+CONFIG_CGROUP_CPUACCT+), and memory resource controller (+CONFIG_CGROUP_MEM_RES_CTLR+). +Isolate is designed to run setuid to root. The sub-process inside the sandbox +then switches to a non-privileged user ID (different for each *--box-id*). +The range of UIDs available and several filesystem paths are embedded in the +isolate's binary during compilation; please see +default.cfg+ in the source +tree for description. + +Before you run isolate with control groups, you have to mount the control group +filesystem by doing "+mount -t cgroup none -o cpuset,cpuacct,memory /sys/fs/cgroup+". + LICENSE ------- Isolate was written by Martin Mares and Bernard Blackham. -- 2.39.2