I've been diving deep into the Linux kernel's isolation primitives, and I wanted to see if I could build a robust, lightweight jailer using Go instead of the traditional C/Rust approach.
Most people go for Docker or Firecracker, but those feel like overkill for simple process isolation. Procjail is my attempt at a 'middle ground'—leveraging Namespaces (PID, Mount, Net, UTS) and Cgroups to create a secure environment with minimal fuss.
I know the purists might question using a garbage-collected language for low-level isolation, but the developer experience and safety of Go made this an incredible project to build.
Nice to see folks bringing new ideas to process isolation beyond Docker! I haven’t dug into namespaces much in Go how’s the ergonomics compared to C/Rust? Wondering if this could help teach kernel primitives in a simpler codebase.
I've been diving deep into the Linux kernel's isolation primitives, and I wanted to see if I could build a robust, lightweight jailer using Go instead of the traditional C/Rust approach.
Most people go for Docker or Firecracker, but those feel like overkill for simple process isolation. Procjail is my attempt at a 'middle ground'—leveraging Namespaces (PID, Mount, Net, UTS) and Cgroups to create a secure environment with minimal fuss.
I know the purists might question using a garbage-collected language for low-level isolation, but the developer experience and safety of Go made this an incredible project to build.
I wrote a deep dive into the kernel truths I learned here: https://emmanuel326.github.io/blogs/procjail-kernel-truth.ht...
I'm looking for 'crazy critics' tear into the syscall implementation, the security model, or the Go implementation. I'm here to learn.
Nice to see folks bringing new ideas to process isolation beyond Docker! I haven’t dug into namespaces much in Go how’s the ergonomics compared to C/Rust? Wondering if this could help teach kernel primitives in a simpler codebase.
Nice work! Didn't expect golang to be used for this.Excited to see procjail future commits.