{ "info": { "author": "Da_Blitz", "author_email": "code@pocketnix.org", "bugtrack_url": null, "classifiers": [ "Programming Language :: Python :: 3" ], "description": "Asylum \n======= \n\nIntro \n------ \nA lib to use the unshare/clone syscalls from linux directly. also \nprovides support for seccomp for applications that have been \nspecifically written to use it\n\nQuick start Guide\n------------------\n# Clone the repository\n$ hg clone http://code.pocketnix.org/asylum\n$ cd asylum\n\n# Built a temporary/Zero install enviroment\n$ virtualenv env\n$ . env/bin/activate\n$ python ./setup.py install\n\n# Launch the program\n$ sudo asylum start -HPMIN --hostname example.com #NOTE: needs root priviliges to run\n$ hostname\n\nhostname should now spit out 'example.org' in the asylum jail and remain \nunchanged in another terminal. to confirm that asylum has fully isolated \nthe enviroment, try setting the hostname in the asylum jail and confirm\nthat the hostname for your system has not changed\n\nUses\n-----\n* Executing unsafe code\n* More advanced chrooting\n* OS virtualisation/bootstrapping\n* Network Simulation\n* Experimenting with different setups\n* Preinstallation steps for new machines\n* Vhosting\n* Performing MITM on locally running applications\n\nGoals\n------\nTo provide several security and virtualisation primitives that can\neasily be integrated into python programs. \n\n#. Provide Strong simple primitives to existing python programs\n Where possible make these drop in replacements (eg PEP-3143)\n#. Provide a virtualenv like tool for creating and running virtual\n environments\n#. Provide wrappers for low level syscalls\n\nFeatures\n---------\n* Direct setting of hostname\n* Direct mounting of filesystems without calling /sbin/mount\n* Setting and dropping of capabilities\n* Syscall wrapper generation for the brave\n* pivot_root support for full isolation\n* prctl syscall\n* clone/unshare syscall support\n\nComing Soon\n------------\nFeatures that are planned but have not yet come to fruition\n* PEP-3143 daemon process support (http://www.python.org/dev/peps/pep-3143/)\n increases the security of the chroot option\n* Recording of namespace state/status for querying (start/stop)\n* Optional management daemon\n* Optional web interface for management daemon\n* Basic image setup hooks\n* Command orientated cmdline args (similar to virtualenv)\n* Plugin support\n* Config file support\n* Reconnect to running namespace (setns)\n\nRequirements\n-------------\n* A recent linux kernel with cgroups and namespace support\n (Tested on a 2.6.37 hand compiled kernel)\n* an x86 processor (32bit or 64bit), support for other archs is \n available on request. this syscall constants just need to be\n updated\n\n* python >= 3.0\n* argparse module\n\nOR\n\n* python >= 3.2\n\nOR\n\n* python >= 2.7 \n\nOR\n\n* pypy >= 1.5\n\n\nCompiling a namespace capable Kernel\n-------------------------------------\nIf your linux kernel does not have the required features then you may\nbe able to compile your own kernel by downloading the source packages\nfor your distribution and compiling a kernel yourself.\n\nif you are using a graphical tool (eg as launched by typing \"make nconfig\")\nthen you will need to ensure the following options are enabled\n\nNamespaces\n+++++++++++\nGeneral Setup\n--> Namespaces Support\n --> UTS Namespace\n --> IPC Namespace\n --> User Namespace\n --> PID Namespace\n --> Network Namespace\n\nCgroups\n++++++++\nGeneral Setup\n--> Control Group Support\n --> Enable options as required\n\nif invoking \"make config\" to set the required options or editing an existing\nkernel config (eg one taken from /proc/config or /proc/config.gz) then the \nconfig options you need to change can be obtained by running \"asylum -d\" to \nperform auto detection of the settings and listing their name and current\nstate\n\nyou may wish to enable basic routing support (normmaly enabled by default)\nas well as etun and macvlan support. seccomp support\n\nNetworking\n+++++++++++\nDevice Drivers\n--> Network device support\n --> MAC-VLAN support\n -->Virtual ethernet pair device\n\nSeccomp\n++++++++\nProcessor type and features\n--> Enable seccomp to safely compute untrusted bytecode\n\nNotes\n------\nThe kernel documentation/manpages do not always line up with exactly what linux\ndoes, some syscalls raise EPERM incorectly (eg pivot_root and EBUSY), where \nposible i have tried to put all edge cases in the exception message or as \nnotes in the src however if you find new ones let me know asap at\ncode@pocketnix.org\n\nExamples\n---------\nThe following example shows how to create a namespace with its own \nseparate network and idea of the machines hostname and domain, you \ncan make changes to the hostname and interfaces without affecting \nyour main workspace. as these are lightweight you can easily create \n100's of namespaces to perform things like creating virtual networks. \nfor creating network 'pipes' between namespaces take a look at vtun \nor refer to the documents on http://www.pocketnix.org (coming soon). \nto share the main Ethernet interface between multiple namespaces it \nis recommended to use macvlan if you wish to use features such as \ntcpdump or dhcp in the guest namespace, otherwise routing may suffice\n\n$ sudo ipython\n>>> import asylum\n# Here we enable IPC, UTS (kernel domain name) and NET namespaces\n>>> asylum.isolate(None, False, False, True, False, True, True)\n>>> !ip ad sh\n13: lo: mtu 16436 qdisc noop state DOWN\n link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n14: sit0: mtu 1480 qdisc noop state DOWN\n link/sit 0.0.0.0 brd 0.0.0.0\n\n>>> !hostname thisisatest\n>>> !domainname example.com\n\n# now go to a seperate terminal and enter the following\n$ hostname; domainname\n\n# Now go back to ipython and enter the following\n>>> import socket\n>>> socket.gethostname()\n'thisisatest'\n\nGetting Support\n----------------\nI am more than willing to help people get the code up and running or get\nup to speed on developing with the code, drop me a line #insane-asylum on \nirc.freenode.net, xmpp://code@conference.pockentix.org or email\ncode@pocketnix.org\n\nif you have bug reports send them in, i am happy to fix them. same goes\nfor feature requests and comments on my code quality. \n\nif you are using this in production let me know :D\n\nLinks\n------\n* Documents on LXC and networking with unshare: http://www.pocketnix.org", "description_content_type": null, "docs_url": null, "download_url": "http://code.pocketnix.org/asylum/archive/tip.tar.bz2", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://code.pocketnix.org/asylum", "keywords": "linux virtual virtualistion virtualization LXC openVZ container containerization containerisation", "license": "MIT BSD", "maintainer": null, "maintainer_email": null, "name": "asylum", "package_url": "https://pypi.org/project/asylum/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/asylum/", "project_urls": { "Download": "http://code.pocketnix.org/asylum/archive/tip.tar.bz2", "Homepage": "http://code.pocketnix.org/asylum" }, "release_url": "https://pypi.org/project/asylum/0.4.1/", "requires_dist": null, "requires_python": null, "summary": "Lightweight containerization solution for Linux", "version": "0.4.1" }, "last_serial": 786530, "releases": { "0.3": [], "0.4": [ { "comment_text": "", "digests": { "md5": "7f1e47d222caaf143d0382f5eac0777d", "sha256": "6d2ed7e921cca4f337b7d8cb237d9c5fd4ebbae84a151be12eb5c90e21422505" }, "downloads": -1, "filename": "asylum-0.4.tar.gz", "has_sig": false, "md5_digest": "7f1e47d222caaf143d0382f5eac0777d", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 36431, "upload_time": "2013-03-21T02:48:00", "url": "https://files.pythonhosted.org/packages/f3/bb/c959cfe93574b75b3a86a4f160a9add743349f01062c75face46f45a0055/asylum-0.4.tar.gz" } ], "0.4.1": [ { "comment_text": "", "digests": { "md5": "38342abbe9fed2a40271858926fc3232", "sha256": "b9a02f9f69852908e8c4f01978bdc4faf20f880e0abe9d7b3951e408e1eb1e3b" }, "downloads": -1, "filename": "asylum-0.4.1.tar.gz", "has_sig": false, "md5_digest": "38342abbe9fed2a40271858926fc3232", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 36456, "upload_time": "2013-03-21T06:44:32", "url": "https://files.pythonhosted.org/packages/a5/64/9f16a2f1d5c12752cc33ded19a4d0f36c58284d24c1653dddaa630e5a4e6/asylum-0.4.1.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "38342abbe9fed2a40271858926fc3232", "sha256": "b9a02f9f69852908e8c4f01978bdc4faf20f880e0abe9d7b3951e408e1eb1e3b" }, "downloads": -1, "filename": "asylum-0.4.1.tar.gz", "has_sig": false, "md5_digest": "38342abbe9fed2a40271858926fc3232", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 36456, "upload_time": "2013-03-21T06:44:32", "url": "https://files.pythonhosted.org/packages/a5/64/9f16a2f1d5c12752cc33ded19a4d0f36c58284d24c1653dddaa630e5a4e6/asylum-0.4.1.tar.gz" } ] }