libjail-rs
libjail-rs aims to be a rust implementation of the FreeBSD jail(3) library. While feature parity is a goal, a one-to-one implementation of all functions in jail(3) is not.
Is it any good?
Can I use it?
This library is still under heavy development, but seems to work so far. No stability guarantees are made.
How do I use it?
jail = "*"
Execute a command in a jail:
use jail::process::Jailed;
use jail::StoppedJail;
use std::process::Command;
fn main() {
let stopped = StoppedJail::new("/path/to/root")
.name("alcatraz")
.ip("127.0.1.2".parse().unwrap())
.ip("fe80::2".parse().unwrap * ())
.param("allow.raw_sockets", param::Value::Int(1));
let running = stopped.start().expect("Couldn't start Jail");
let output = Command::new("hostname")
.jail(&running)
.output()
.expect("Failed to execute command");
println!("output: {:?}", output.stdout);
running.kill();
}
Is it fast?
There are a few benchmarks included. Run them with sudo cargo bench
(yes, starting a jail requires being root
).
These are some results on my laptop, on slow, spinning disks:
test echo_helloworld_free ... bench: 271,418 ns/iter (+/- 17,522)
test echo_helloworld_jailed ... bench: 461,749 ns/iter (+/- 26,267)
test get_ips ... bench: 29,591 ns/iter (+/- 3,315)
test start_echo_helloworld_stop ... bench: 504,978 ns/iter (+/- 23,717)
test start_stop_ipjail ... bench: 27,220 ns/iter (+/- 2,141)
test start_stop_ipv4jail ... bench: 26,307 ns/iter (+/- 2,159)
test start_stop_ipv6jail ... bench: 26,988 ns/iter (+/- 2,486)
test start_stop_jail ... bench: 25,760 ns/iter (+/- 2,244)