Minion is library implementing highly isolated sandboxes on top of low-level OS APIs. Features:
- Security isolation: sandboxed process runs with reduced privileges, and these privileges can be configured by user.
- Resource restrictions: CPU time and RAM usage can be limited, ensuring that sandbox can't starve other processes.
Additionally, CLI tool is provided for simple use cases.
Build requirements:
- Latest stable Rust (minion may compile successfully on older toolchains, but this is not guarenteed).
Add following to Cargo.toml
:
# under [dependencies]:
minion = { git = "https://github.com/jjs-dev/minion" }
# otherwise nightly rust is required
rm -rf .cargo
cargo build --package minion-ffi --release
Following files should appear somewhere in target
:
minion-ffi-prepend.h
&minion-ffi.h
- header fileslibminion_ffi.a
- static librarylibminion_ffi.so
- shared library
docker pull ghcr.io/jjs-dev/minion:latest
(You can use minion-cli directly from image, or you can unpack image).
# otherwise nightly rust is required
rm -rf .cargo
cargo build --package minion-cli --release