I've been diving deep into the Linux kernel's isolation primitives, and I wanted to see if I could build a robust, lightweight jailer using Go instead of the traditional C/Rust approach.
Most people go for Docker or Firecracker, but those feel like overkill for simple process isolation. Procjail is my attempt at a 'middle ground'—leveraging Namespaces (PID, Mount, Net, UTS) and Cgroups to create a secure environment with minimal fuss.
I know the purists might question using a garbage-collected language for low-level isolation, but the developer experience and safety of Go made this an incredible project to build.
Nya-kundi•1h ago
Most people go for Docker or Firecracker, but those feel like overkill for simple process isolation. Procjail is my attempt at a 'middle ground'—leveraging Namespaces (PID, Mount, Net, UTS) and Cgroups to create a secure environment with minimal fuss.
I know the purists might question using a garbage-collected language for low-level isolation, but the developer experience and safety of Go made this an incredible project to build.
I wrote a deep dive into the kernel truths I learned here: https://emmanuel326.github.io/blogs/procjail-kernel-truth.ht...
I'm looking for 'crazy critics' tear into the syscall implementation, the security model, or the Go implementation. I'm here to learn.