13个版本
| 0.5.2 | 2024年4月22日 |
|---|---|
| 0.5.1 | 2024年2月20日 |
| 0.5.0 | 2023年11月4日 |
| 0.4.8 | 2023年8月27日 |
| 0.2.1 | 2022年8月18日 |
#454 in 开发工具
124 每月下载量
在 2 crates 中使用
81KB
1.5K SLoC
Hakoniwa
使用namespaces、资源限制和seccomp实现Linux进程隔离。它通过创建一个全新的、完全空的挂载namespace,其中根位于不可见的tmpfs上,并在最后一个进程退出时自动清理。然后,您可以使用策略配置文件或命令行选项来构建根文件系统和namespace中的进程环境和要运行的命令。
安装
Cargo
使用方法
CLI
当使用命令行时,hakoniwa-run将加载一个默认策略配置文件KISS-policy.toml,以确保创建最小挂载namespace,使用--policy-file使用您的自定义版本。
$ hakoniwa run --verbose -- /bin/bash
[2022-08-21T09:14:11Z INFO hakoniwa::cli::run] Configuration: "KISS-policy.toml"
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Mount point: host_path: "/tmp/hakoniwa-EJemcsRL", container_path: "/"
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Mount point: host_path: "", container_path: "/proc", fstype: "proc"
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Mount point: host_path: "/usr/bin", container_path: "/bin", fstype: "", rw: false
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Mount point: host_path: "/usr/lib", container_path: "/lib", fstype: "", rw: false
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Mount point: host_path: "/usr/lib", container_path: "/lib64", fstype: "", rw: false
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Mount point: host_path: "/usr", container_path: "/usr", fstype: "", rw: false
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Mount point: host_path: "/dev/null", container_path: "/dev/null", fstype: "", rw: true
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Mount point: host_path: "/dev/random", container_path: "/dev/random", fstype: "", rw: true
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Mount point: host_path: "/dev/urandom", container_path: "/dev/urandom", fstype: "", rw: true
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Mount point: host_path: "/dev/zero", container_path: "/dev/zero", fstype: "", rw: true
[2022-08-21T09:14:11Z INFO hakoniwa::executor] UID map: host_id: 5001, container_id: 5001
[2022-08-21T09:14:11Z INFO hakoniwa::executor] GID map: host_id: 1000, container_id: 1000
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Seccomp: disabled
[2022-08-21T09:14:11Z INFO hakoniwa::executor] Execve: /bin/bash ["/bin/bash"]
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.1$ pwd
/
bash-5.1$ ls
bin dev lib lib64 proc usr
bash-5.1$ ls /dev
null random urandom zero
bash-5.1$ ls /proc
1 bus crypto execdomains ioports kmsg locks mtrr scsi sys uptime
4 cgroups devices fb irq kpagecgroup meminfo net self sysrq-trigger version
acpi cmdline diskstats filesystems kallsyms kpagecount misc pagetypeinfo slabinfo sysvipc vmallocinfo
asound config.gz dma fs kcore kpageflags modules partitions softirqs thread-self vmstat
bootconfig consoles driver interrupts key-users latency_stats mounts pressure stat timer_list zoneinfo
buddyinfo cpuinfo dynamic_debug iomem keys loadavg mtd schedstat swaps tty
bash-5.1$ exit
exit
[2022-08-21T09:14:27Z INFO hakoniwa::executor] Result: {"status":"OK","reason":"","exit_code":0,"start_time":"2022-08-21T09:14:11.058546277Z","real_time":{"secs":16,"nanos":460452556},"system_time":{"secs":0,"nanos":8744000},"user_time":{"secs":0,"nanos":3149000},"max_rss":3780}
更多示例可以在hakoniwa-cli/examples中找到。
Rust 库
以下代码几乎等同于hakoniwa run --policy-file KISS-policy.toml -- /bin/bash
use hakoniwa::{Error, Sandbox, SandboxPolicy, Stdio};
fn main() -> Result<(), Error> {
let policy = SandboxPolicy::from_str(
r#"
mounts = [
{ source = "/bin" , target = "/bin" },
{ source = "/lib" , target = "/lib" },
{ source = "/lib64" , target = "/lib64" },
{ source = "/usr" , target = "/usr" },
{ source = "/dev/null" , target = "/dev/null" , rw = true },
{ source = "/dev/random" , target = "/dev/random" , rw = true },
{ source = "/dev/urandom", target = "/dev/urandom" , rw = true },
{ source = "/dev/zero" , target = "/dev/zero" , rw = true },
]
[env]
LANG = {{ os_env "LANG" }}
LANGUAGE = {{ os_env "LANGUAGE" }}
LC_ALL = {{ os_env "LC_ALL" }}
TERM = {{ os_env "TERM" }}
"#,
)?;
let mut sandbox = Sandbox::new();
sandbox.with_policy(policy);
let prog = std::env::var("SHELL").unwrap_or_else(|_| String::from("/bin/sh"));
let argv = vec![&prog];
let mut executor = sandbox.command(&prog, &argv);
let result = executor
// .ro_bind("/etc", "/myetc")? // --ro-bind /etc:/myetc
// .rw_bind("/data", "/data")? // --rw-bind /data
// .limit_cpu(Some(2)) // --limit-cpu 2
// .limit_walltime(Some(5)) // --limit-walltime 5
.stdout(Stdio::inherit())
.stderr(Stdio::inherit())
.stdin(Stdio::inherit())
.run();
dbg!(result);
Ok(())
}
更多示例可以在hakoniwa/examples中找到。
在Docker中运行
首先,克隆此仓库并构建docker镜像
$ make prodcontainer
然后,在容器中运行hakoniwa命令
$ docker run --privileged --rm -it hakoniwa-prodcontainer:latest hakoniwa run --verbose -- /bin/bash
[2023-11-04T09:24:27Z INFO hakoniwa::cli::run] Configuration: "KISS-policy.toml"
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Mount point: host_path: "/tmp/hakoniwa-yBV2slf6", container_path: "/"
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Mount point: host_path: "", container_path: "/proc", fstype: "proc"
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Mount point: host_path: "/bin", container_path: "/bin", fstype: "", rw: false
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Mount point: host_path: "/lib", container_path: "/lib", fstype: "", rw: false
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Mount point: host_path: "/lib64", container_path: "/lib64", fstype: "", rw: false
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Mount point: host_path: "/usr", container_path: "/usr", fstype: "", rw: false
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Mount point: host_path: "/dev/null", container_path: "/dev/null", fstype: "", rw: true
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Mount point: host_path: "/dev/random", container_path: "/dev/random", fstype: "", rw: true
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Mount point: host_path: "/dev/urandom", container_path: "/dev/urandom", fstype: "", rw: true
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Mount point: host_path: "/dev/zero", container_path: "/dev/zero", fstype: "", rw: true
[2023-11-04T09:24:27Z INFO hakoniwa::executor] UID map: host_id: 1000, container_id: 1000
[2023-11-04T09:24:27Z INFO hakoniwa::executor] GID map: host_id: 1000, container_id: 1000
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Seccomp: disabled
[2023-11-04T09:24:27Z INFO hakoniwa::executor] Execve: /bin/bash ["/bin/bash"]
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.1$ pwd
/
bash-5.1$ ls
bin dev lib lib64 proc usr
bash-5.1$ ls /dev
null random urandom zero
bash-5.1$ ls /proc
1 bus crypto execdomains ioports kmsg locks mtrr scsi sys uptime
4 cgroups devices fb irq kpagecgroup meminfo net self sysrq-trigger version
acpi cmdline diskstats filesystems kallsyms kpagecount misc pagetypeinfo slabinfo sysvipc vmallocinfo
asound config.gz dma fs kcore kpageflags modules partitions softirqs thread-self vmstat
bootconfig consoles driver interrupts keys latency_stats mounts pressure stat timer_list zoneinfo
buddyinfo cpuinfo dynamic_debug iomem key-users loadavg mtd schedstat swaps tty
bash-5.1$ exit
exit
[2023-11-04T09:24:40Z INFO hakoniwa::executor] Result: {"status":"OK","reason":"","exit_code":0,"start_time":"2023-11-04T09:24:27.975208221Z","real_time":{"secs":12,"nanos":171313268},"system_time":{"secs":0,"nanos":2516000},"user_time":{"secs":0,"nanos":10995000},"max_rss":3584}
如何操作
致谢
- 特别感谢bubblewrap。
许可证
许可协议为以下之一
- Apache License, Version 2.0 (LICENSE-APACHE 或 https://apache.ac.cn/licenses/LICENSE-2.0)
- MIT许可证 (LICENSE-MIT 或 http://opensource.org/licenses/MIT)
任选其一。
贡献
除非您明确声明,否则根据Apache-2.0许可证定义,您有意提交的任何贡献,只要包含在本作品中,均应双许可,如上所述,没有任何附加条款或条件。
依赖关系
~10–20MB
~269K SLoC