From 34e16142078df5d9f7cfd40ced91b4c4829ce1d7 Mon Sep 17 00:00:00 2001 From: Martin Polanka Date: Tue, 25 Oct 2016 23:49:53 +0200 Subject: [PATCH] isolate --- Worker.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Worker.md b/Worker.md index b2538dd..3801ed3 100644 --- a/Worker.md +++ b/Worker.md @@ -261,9 +261,13 @@ To add a new worker you need to do a few steps: ### Isolate -Isolate is used as one and only sandbox for linux-based operating systems. Headquarters of this project can be found at [GitHub](https://github.com/ioi/isolate) and more of its installation and setup can be found in [installation](#installation) section. +Isolate is used as one and only sandbox for linux-based operating systems. Headquarters of this project can be found at [GitHub](https://github.com/ioi/isolate) and more of its installation and setup can be found in [installation](#installation) section. Isolate uses linux kernel features for sandboxing and thus its security depends on them, namely kernel namespaces and cgroups are used. Similar functionality can now be partially achieved with systemd. -// TODO: further desc +From the very beginning of ReCodEx project there was only one thing sure: isolate will be used. Almost everything else changed but isolate stayed, this of course has some implications: main operating system of whole backend should be linux-based and worker will be designed to interact well with isolate. This precondition was fulfilled and worker has fully integrated isolate with almost all possible functionality which isolate provides. This also means that job configuration was heavily affected and reflects what isolate can do. + +Isolate as sandbox provides wide scale of functionality which can be used to limits programs resources or even cut off particular resources from sandboxed program. There is of course basics like limiting cpu-time and memory consumption, but there can be found also wall-time (human perception of time) or extra-time which is extra limit which is added to other time limits to increase chance of successful exiting of sandboxed program. From other features: limiting stack-size, redirection of stdin, stdout or stderr into/to file. Worth of mentioning is also define number of processes/threads which can be created or defining environment variables which are passed to sandboxed program. + +Chapter by itself is filesystem handling. Isolate uses mount kernel namespace to create "virtual" filesystem which will be used in sandboxed program. By default there are only few read-only files/directories mapped into sandbox (described in isolate man-page). By default folders are mapped as read-only but isolate has few access options which can be set. #### Limit isolate boxes to particular cpu or memory node