--init without bounds

[harveyslash]

I plan to use isolate on a web service to run arbitrary code. So i want to run programs without having a fixed number of sandboxes.

Currently --init only refers to a certain box. Is it possible to init to a new sandbox if an empty one is not available ?

This way any arbitrary number of threads (from my web server) can run their programs in their own sandboxes.

Thanks

[bblackham]

Something needs to manage the allocation of box IDs. isolate itself doesn’t have any means to do this. Each box id requires a different UID (see default.cf).

Alternately, assuming that UIDs are 32-bit and PIDs/TIDs are < 32-bit (depends on the setting of /proc/sys/kernel/pid_max), you could allocate part of the UID space for isolate and use the thread ID as the box ID - this assumes that the same thread performs the init run and cleanup phases. I’ve not tried it, but just a thought!

[zopieux]

shameless plug
FYI what you describe is the exact purpose of camisole, which adds some box management and an HTTP interface over isolate. We use camisole to run our online contest where people submit arbitrary code.