Skip to content

Instantly share code, notes, and snippets.

@UlisesGascon

UlisesGascon/README.md

Created July 21, 2024 15:21
Show Gist options
  • Save UlisesGascon/3fff85f3a4414f7211fd6bc67615efb3 to your computer and use it in GitHub Desktop.
Save UlisesGascon/3fff85f3a4414f7211fd6bc67615efb3 to your computer and use it in GitHub Desktop.
Download ZIP
Bash script to create an isolated environment using namespaces and cgroups
Raw
README.md

Isolate Script

This script creates an isolated environment using Linux namespaces and cgroups, executes a provided Bash script, and then cleans up the environment. It ensures that any changes made within the isolated environment do not affect the host system.

How It Works

  1. Argument Check: The script checks if a Bash script file is provided as an argument.
  2. File Existence Check: It verifies if the provided file exists.
  3. Cgroup Creation: A cgroup is created to limit the number of processes to 50.
  4. Namespace Creation: The script creates new PID and UTS namespaces using unshare.
  5. Hostname Change: The hostname is changed to isolated_env.
  6. Temporary File System Isolation: A new tmpfs is mounted to isolate the temporary file system.
  7. Script Execution: The provided script is executed within the isolated environment.
  8. Cleanup: The temporary file system is unmounted and the cgroup is removed after execution.

Usage

  1. Save the isolate.sh script and make it executable:

    chmod +x isolate.sh

  2. Create a sample Bash script, e.g., test_script.sh:

    #!/bin/bash
echo "This is a script running in an isolated environment"
touch /tmp/testfile
ls /tmp

  3. Execute the isolate.sh script, passing the sample script as an argument:

    ./isolate.sh test_script.sh

Example

Given a script test_script.sh:

#!/bin/bash
echo "This is a script running in an isolated environment"
touch /tmp/testfile
ls /tmp

Running the following command:

./isolate.sh test_script.sh

Will output:

This is a script running in an isolated environment
testfile
Isolated environment finished and cleaned up, including cgroup.

The changes made within the isolated environment (like creating /tmp/testfile) will not affect the host system's /tmp directory.

Notes

The script uses unshare to create new namespaces and mount to create an isolated file system. Cgroups are used to limit the number of processes to 50. You can adjust this limit as needed. The isolated environment is cleaned up after the script execution, ensuring no residual changes affect the host system.

Raw
isolate.sh
#!/bin/bash
# Check if an argument was provided
if [ -z "$1" ]; then
echo "Usage: $0 <bash_script>"
exit 1
fi
SCRIPT=$1
# Check if the file exists
if [ ! -f "$SCRIPT" ]; then
echo "The file $SCRIPT does not exist."
exit 1
fi
# Create a cgroup to limit resources
CGROUP_NAME="isolated"
CGROUP_PATH="/sys/fs/cgroup/$CGROUP_NAME"
# Create and configure the cgroup
mkdir -p $CGROUP_PATH
echo $$ > $CGROUP_PATH/tasks
echo 50 > $CGROUP_PATH/pids.max # Limit to 50 processes
# Create a new PID and UTS namespace
unshare --pid --uts --mount --fork --mount-proc bash -c "
# Change the hostname
hostname isolated_env
# Mount a new tmpfs to isolate the temporary file system
mount -t tmpfs tmpfs /tmp
# Execute the provided script
bash $SCRIPT
# Clean up and exit
umount /tmp
"
# Wait for all processes in the cgroup to finish
while [ $(ls $CGROUP_PATH/tasks | wc -l) -gt 0 ]; do
sleep 1
done
# Remove the cgroup after execution
rmdir $CGROUP_PATH
echo "Isolated environment finished and cleaned up, including cgroup."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment