-
Notifications
You must be signed in to change notification settings - Fork 197
Expand file tree
/
Copy pathNEWS
More file actions
82 lines (54 loc) · 3.02 KB
/
NEWS
File metadata and controls
82 lines (54 loc) · 3.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
Version 2.3 [2026-04-04]
* The UID and GID range for the sandboxes is obtained from /etc/sub[ug]ids
entries of a configured user. The old method of configuring the
ranges explicitly is still supported, but no longer the default.
Version 2.2.1 [2025-09-29]
* Fixed the check for asymmetric cores in isolate-check-environment.
Version 2.2 [2025-09-01]
* Switched to a new kernel API for setting filesystem quotas,
which works with more filesystems (e.g., tmpfs).
* Wall-clock time is reported correctly even if the system
clock is re-set during program execution.
Version 2.1.2 [2025-08-14]
* Build date and commit are recorded in built binaries only
when building from a Git checkout.
Version 2.1.1 [2025-08-14]
* isolate-check-environment checks for asymmetric cores.
* By mistake, isolate was compiled without optimization.
Added -O2 to CFLAGS.
* Added packaging for Debian Trixie on both amd64 and arm64.
Version 2.1 [2025-06-08]
• There are official packages for Debian Bookworm (amd64, arm64)
and last two LTS releases of Ubuntu (amd64 only). Packaged Isolate
takes care of starting systemd services properly. It is available
only to users that are members of "isolate" group.
• Unit files for systemd are installed by default.
• Cgroup-based timing works when --run is used multiple times
on the same sandbox.
• Added manual pages for isolate-cg-keeper and isolate-check-environment.
The man page for isolate explains more about cgroups and containers.
• isolate-check-environment checks presence of simultaneous
multi-threading.
• All binaries are compiled with security hardening flags.
• Minor bug fixes.
Version 2.0 [2024-02-28]
• This version runs only on systems supporting CGroup v2, which are
basically all new Linux systems. If you need to stick with CGroup v1,
please use Isolate 1.10.1.
• If you are running systemd, Isolate now comes with isolate.service
that delegates a subtree of the cgroup hierarchy to Isolate.
On systems without systemd, you have to set up the delegation
yourself and set its root in Isolate's configuration file.
• The --cg-timing switch has been removed. In control group mode,
this mode of timing is always used.
• Added a simple protocol for locking sandboxes. When a sandbox is
initialized using "isolate --init", it is reserved for the calling
user until "isolate --cleanup" is used. It is also not allowed
to call "isolate --run" multiple times in parallel on the same box.
• "isolate --init" resets the sandbox if it already existed.
• Root can operate sandboxes on behalf of other users using
--as-uid and --as-gid options.
• Configuration can specify than only root is allowed to create new
sandboxes. Together with the previous feature, it allows for creation
of system-wide daemons allocating sandboxes to users. One such daemon
will probably appear in a future release of Isolate.