From 95df4c2e845e571dc80e5310f0076f1803cca7d7 Mon Sep 17 00:00:00 2001 From: Martin Polanka Date: Wed, 26 Oct 2016 10:29:23 +0200 Subject: [PATCH] changes - isolate --- Worker.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Worker.md b/Worker.md index 3801ed3..86bc547 100644 --- a/Worker.md +++ b/Worker.md @@ -263,11 +263,11 @@ To add a new worker you need to do a few steps: Isolate is used as one and only sandbox for linux-based operating systems. Headquarters of this project can be found at [GitHub](https://github.com/ioi/isolate) and more of its installation and setup can be found in [installation](#installation) section. Isolate uses linux kernel features for sandboxing and thus its security depends on them, namely kernel namespaces and cgroups are used. Similar functionality can now be partially achieved with systemd. -From the very beginning of ReCodEx project there was only one thing sure: isolate will be used. Almost everything else changed but isolate stayed, this of course has some implications: main operating system of whole backend should be linux-based and worker will be designed to interact well with isolate. This precondition was fulfilled and worker has fully integrated isolate with almost all possible functionality which isolate provides. This also means that job configuration was heavily affected and reflects what isolate can do. +From the very beginning of ReCodEx project there was only one thing sure: isolate will be used. Almost everything else changed but isolate persist, this of course has some implications: main operating system of whole backend should be linux-based and worker will be designed to interact well with isolate. This precondition was fulfilled and worker has fully integrated isolate with almost all possible functionality which isolate provides. This also means that job configuration was heavily affected and reflects what isolate can do. -Isolate as sandbox provides wide scale of functionality which can be used to limits programs resources or even cut off particular resources from sandboxed program. There is of course basics like limiting cpu-time and memory consumption, but there can be found also wall-time (human perception of time) or extra-time which is extra limit which is added to other time limits to increase chance of successful exiting of sandboxed program. From other features: limiting stack-size, redirection of stdin, stdout or stderr into/to file. Worth of mentioning is also define number of processes/threads which can be created or defining environment variables which are passed to sandboxed program. +Isolate as sandbox provides wide scale of functionality which can be used to limit resources or even cut off particular resources from sandboxed program. There is of course basics like limiting cpu-time and memory consumption, but there can be found also wall-time (human perception of time) or extra-time which is extra limit added to other time limits to increase chance of successful exiting of sandboxed program. From other features there is limiting stack-size, redirection of stdin, stdout or stderr into/to file. Worth of mentioning is also defining number of processes/threads which can be created or defining environment variables which are passed to sandboxed program. -Chapter by itself is filesystem handling. Isolate uses mount kernel namespace to create "virtual" filesystem which will be used in sandboxed program. By default there are only few read-only files/directories mapped into sandbox (described in isolate man-page). By default folders are mapped as read-only but isolate has few access options which can be set. +Chapter by itself is filesystem handling. Isolate uses mount kernel namespace to create "virtual" filesystem which will be mounted in sandboxed program. By default there are only few read-only files/directories mapped into sandbox (described in isolate man-page). This can be of course changed by providing another numerous folders as isolate parameters. By default folders are mapped as read-only but isolate has few access options which can be set to some mount point. #### Limit isolate boxes to particular cpu or memory node