I've been diving deep into the Linux kernel's isolation primitives, and I wanted to see if I could build a robust, lightweight jailer using Go instead of the traditional C/Rust approach.
Most people go for Docker or Firecracker, but those feel like overkill for simple process isolation. Procjail is my attempt at a 'middle ground'—leveraging Namespaces (PID, Mount, Net, UTS) and Cgroups to create a secure environment with minimal fuss.
I know the purists might question using a garbage-collected language for low-level isolation, but the developer experience and safety of Go made this an incredible project to build.
I wrote a deep dive into the kernel truths I learned here: https://emmanuel326.github.io/blogs/procjail-kernel-truth.ht...
I'm looking for 'crazy critics' tear into the syscall implementation, the security model, or the Go implementation. I'm here to learn.
Nice to see folks bringing new ideas to process isolation beyond Docker! I haven’t dug into namespaces much in Go how’s the ergonomics compared to C/Rust? Wondering if this could help teach kernel primitives in a simpler codebase.
Thanks! Honestly, the ergonomics of Go for this are a double-edged sword. On one hand, using os/exec and syscall packages feels much more 'human-readable' than raw C. It definitely makes the kernel primitives feel less like black magic.
The tricky part is the Go runtime—since it's multi-threaded by default, you have to be really careful about runtime.LockOSThread() when manipulating namespaces so you don't 'leak' a namespace change to the wrong thread. If you're looking to learn the basics, I think the Go codebase is way easier to digest than a massive C project!
Nice work! Didn't expect golang to be used for this.Excited to see procjail future commits.
I wanted to prove that for a lightweight tool like Procjail, Go's overhead is negligible compared to the massive DX gains.