In brief: A chroot jail
The sandbox (Linux: protected test environment for programs) is like a ''virtual machine'', which runs on the device. It is a section of the device, for which a user account has been set in the system. In this section, programs can be started, data can be collected and services can be provided, which are not available within the system of the router. Inside the sandbox the environment is like it is inside a Linux PC. The sandbox is an area separate from the router part of the system, which ensures that the router can fulfil its task without interference from the sandbox.
In brief: Besides its actual tasks, the device can fulfil additional tasks via sandbox. Without the sandbox, these tasks would have to be carried out by an additional industrial computer.
Not having to install and run the computer saves space inside the switching cabinet, money, as additional hardware is not required, and energy, which also reduces industrial waste heat. The device establishes the connection into the internet or to the control centre. The programs in the sandbox use this connection. The configuration of the connection to the internet or to the control centre can be set comfortably via the web interface.
In brief: All the things that do not require root permissions on the device are possible.
The sample sandbox demo image contains some applications, tools and services, which make it possible for the user to establish a connection and to start quickly. Examples are:- integrated web server (http://192.168.1.1:8080) - SSH server at port 2222 (user "user", password "user", per default "SSH [email protected] -p 2222")- Telnet server, can be used as basis for configuration interfaces- editor nano for text files and scripts for the device- netcat - the Swiss Army knife for TCP- or UDP connections- curl - a tool for automatic website operation- Shell tools like awk, sed and wget for programming shell scripts - Sudoku and Space-Invaders games- SQL3 data bank- PHP – an interpreter language suited for web development
In brief: All the things that do require root permissions on the device.
It is not possible to execute commands or programs, which require root rights. Examples for such commands or programs are the raw connections (like ICMP - "ping"). This ensures that the device is not interfered with its tasks.
ARM9 (922T) at 166MHz, approx. 10MB RAM, Flash: approx. 100MB 50MB, TMPFS: 1MB
In Brief: Serial interface, Ethernet of the LAN connection (4-port-switch), WAN connection depending on the make of the device (LAN, GPRS, EDGE, UMTS, PSTN and ISDN).
Via the web interface, you can assign the serial interface to be used by applications in the sandbox. If assigned to the sandbox, the serial interface is not available for the device. In this case neither serial-Ethernet-gateway nor the connection of a further, redundant communication device will be possible. The LAN as well as the WAN connection can be used in the way they are configured for the device. Network settings can be configured via the web interface and not via the sandbox. Depending on the configuration and the type of the device also the sandbox can communicate in various ways via LAN, GPRS, EDGE, UMTS, PSTN or ISDN.
In Brief: A tar.gz with the content of the chroot jail.
A file, which contains a tar-archive compressed with gzip. The archive contains almost the complete file structure as it will be available for the user inside the sandbox later on. The archive can be uploaded, stored and installed in the sandbox of the device via the web interface. The stored image, still compressed, remains with the device. An installed image can be overwritten with the stored image, which makes it possible to establish a defined state at any time. Users can do this in case they have locked themselves out of the sandbox, for example.
Ready-made sandbox images can be downloaded from the INSYS web site. The purpose of the demo image is to show some of the possible features of a sandbox and it contains some examples of them.
Yes. A sandbox image is an archive containing compressed data. New images can be created, which may contain programs, scripts and files, which are different from the ones the sandbox images by INSYS contain.
In brief: Download an image "sandbox_Name.tar.gz" (Name="small" or "demo_date") provided by INSYS, unpack it, modify it and pack it again with "tar -zcvf".
There are many ways in which to modify the content of a sandbox image. In order to get an idea about the basic structure of an image, decompress the INSYS image and look at its file structure. The code of the sandbox has to run in a Linux environment once the image is installed. Therefore certain file parameters like the file properties may not be altered. If a sandbox image were to be decompressed, modified and compressed in a VFAT / FAT partitioned file system, the resulting image would probably be useless because the files in the image could not be executed any more. For more extensive instructions see "Creating an own sandbox image".
Yes, you can.You do not have to create a new sandbox image every time a single device is to be modified. The installed sandbox image will be overwritten only in case somebody triggers this process via the web interface of the device. In order to modify a device manually, you can log on to the device via SSH, for example. The possibilities for manual modification depend on the kind of tools available in the sandbox installed. The tools wget and ftp are available in the sandbox image offered by INSYS. A user can log on to the sandbox and, with wget or ftp, upload files from HTTP- or FTP servers in the local LAN and save them. A further possibility is to send files to the sandbox with a tool like scp, for example.
Yes! There are lots of possibilities. With the help of the sandbox image offered by INSYS individual shell programs can be programmed on the spot.Nothing else is required. The possibilities the shell offers are greater than many people think. On the internet there are programs which even implement an HTTP server! The appropriate content of the sandbox makes the programs run.
This depends on the content of the sandbox. With the sandbox image offered by INSYS, scripts of the installed shell ash can be used immediately.You can develop programs in C or C++ with the help of the software development kit by the company Denx (http://www.denx.de) provided by INSYS. The kit is easy to install. Within a few minutes the first "Hello World" program can be written, compiled and started in the sandbox. For further information and installation instructions see "SDK Installation" and "Compiling Hello World". You can use other programming languages, too, if their libraries and / or interpreters are available in the sandbox and if the amount of resources the programs require does not exceed the amount of memory available. So you might as well use languages like Perl or Python in the sandbox.
A developer should be aware of the fact that the programs are to run within an embedded device with limited resources. This means:- RAM is limited- permanent memory (flash) is comparatively slow- processing power is limited
The extent of memory consumption caused by the sandbox functionality is not to have an impact on the communication capability of the router. If necessary, the device is restarted by internal watchdog timers. The amount of resources available for the sandbox functionality depends to a great extent on the way in which other functionality is used.
If programs are to be applied to multiple devices in far-off places on a permanent basis, as it may be, we recommend to test them extensively in advance and to monitor their memory consumption with the standard tools "df" and "free".
SMS dispatch: Yes, if the device contains a communication device which can send SMS (Modem/ISDN/GPRS/EDGE/UMTS). Inside the sandbox there is the directory /var/spool/sms, which is inspected every minute by the device. If a file is detected in the directory, it will be interpreted. The first line of the file is to contain the phone number of the addressee, the second one the SMS text (up to 140 digits). E-mail: Yes. Use the tool "email" contained in the sandbox demo image.
No. Only in case you want to compile your own C-programs, you will need the SDK for embedded Linux. In order to create an image of your own, unpack a ready-made sandbox image on a Linux PC, modify the image and pack it again.
The possibilities of locking oneself out depend on the functionality of the sandbox. If there is no server in the sandbox (no SSH server or Telnet server installed), there is no possibility to log on. It depends on the programs of the installed sandbox image Which ways there are of locking oneself out.
No. If a watchdog triggers the reset of the device, the device will start anew.
In general you can measure the consumption of the INSYS sandbox image and go from there. For some functions, like for updating the firmware, at least 5 MByte of free RAM are required. That´s why the sandbox functionality is automatically switched off during firmware update. At least 3 MByte of RAM should be free at all times. If there is no more flash memory, delete selected files. Whether the applications in the sandbox will write onto RAM if the flash memory is spent, depends on the way the applications are programmed.
If the device constantly ran on low resources, it would be restarted in rapid succession (Watchdog triggering all the time). It would be bad if the user did not have a chance to deactivate the sandbox in between restarts.
You can download them for free from various internet sources. In a Linux environment "PuTTY" is not required. "Md5sum" is part of the INSYS image.
The programs stored in the INSYS sandbox images are standard programs. Information on most of them you can obtain on every Linux PC with # man. Usually the programs themselves will inform the user if the systax is wrong. There is extensive literature about the shell, in form of books and also in the internet.