{"id":36912000,"url":"https://github.com/alcortesm/isolate","last_synced_at":"2026-01-12T15:59:42.706Z","repository":{"id":57605643,"uuid":"101198398","full_name":"alcortesm/isolate","owner":"alcortesm","description":"Runs commands in Linux containers with configurable levels of isolation.","archived":false,"fork":false,"pushed_at":"2017-09-20T07:28:39.000Z","size":31,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-06-20T03:54:57.170Z","etag":null,"topics":["containers","linux-containers","namespace","user-namespaces"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alcortesm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-08-23T15:50:45.000Z","updated_at":"2024-06-20T03:54:57.171Z","dependencies_parsed_at":"2022-09-26T17:30:22.902Z","dependency_job_id":null,"html_url":"https://github.com/alcortesm/isolate","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/alcortesm/isolate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alcortesm%2Fisolate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alcortesm%2Fisolate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alcortesm%2Fisolate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alcortesm%2Fisolate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alcortesm","download_url":"https://codeload.github.com/alcortesm/isolate/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alcortesm%2Fisolate/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28341907,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T15:50:39.657Z","status":"ssl_error","status_checked_at":"2026-01-12T15:49:49.297Z","response_time":98,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","linux-containers","namespace","user-namespaces"],"created_at":"2026-01-12T15:59:38.672Z","updated_at":"2026-01-12T15:59:42.697Z","avatar_url":"https://github.com/alcortesm.png","language":"Go","readme":"# Isolate\n\nA Linux command to run other commands in its own namespaces.\n\nThis program is inspired by some popular and more powerful tools,\nlike unshare, lxc or docker.\n\nMost isolation levels require some capabilities(7),\nin most cases CAP_SYS_ADMIN.\nUser namespaces are the  exception:\nsince  Linux 3.8, no privilege is required to create a user namespace;\nNote that some Linux distributions have user namespaces disabled by default,\nyou can enable it with `echo 1 \u003e /proc/sys/kernel/unprivileged_userns_clone`.\n\nRunning a command in its own new user namespace\nallows to run the command in an unprivileged namespace environment\nwhere the process runs with a full set of capabilities,\nmeaning you no longer need to execute `isolate` as root\nto get the CAP_SYS_ROOT capability required by the other isolation levels.\nSee the `userns` example below.\n\n# Instalation\n\n```\n; go get github.com/alcortesm/isolate\n```\n\n# Examples\n\n- Run a command without any isolation whatsoever:\n  ```\n  ; isolate echo no isolation at all\n  no isolation at all\n  ```\n\n- Run a command and show its exit code:\n  ```\n  ; isolate -exitCode echo show me your exit code\n  show me your exit code\n  Exit Code 0\n  ```\n\n- Run a command in a root jail.\n  Requires CAP_SYS_ROOT.\n  See chroot(2).\n  ```\n  ; sudo isolate -dir /tmp/foo pwd\n  /tmp/foo\n  ```\n\n- Run a command in a new user namespace,\n  getting a full set of capabilities in the new namespace.\n  See user_namespaces(7).\n  ```\n  ; isolate -dir /tmp/foo pwd\n  fork/exec /bin/pwd: operation not permitted\n  ;\n  ; isolate -userns -dir /tmp/foo pwd\n  /tmp/foo\n  ```\n\n- Run a shell with isolated system identifiers.\n  Requires CAP_SYS_ADMIN.\n  See namespaces(7).\n\n  ```\n  ; sudo isolate -uts bash\n  $ hostname\n  cherry\n  $ hostname foo\n  $ hostname\n  foo\n  $ exit\n  ; hostname\n  cherry\n  ```\n- Run a command in its own pid namespace.\n  Requires CAP_SYS_ADMIN.\n  See pid_namespaces(7).\n  ```\n  ; sudo isolate -pid sh\n  # echo $$\n  1\n  ```\n\n  A /proc filesystem shows (in the /proc/PID directories) only processes visible in the PID namespace of the process that performed the mount,\n  even if the /proc filesystem is viewed from processes in other namespaces.\n\n  After creating a new PID namespace, it is useful for the child to change its root directory and mount a new procfs instance at /proc so that tools such as ps(1) work correctly.\n\n  To achieve this, isolate a shell with the `pid` and the `mount` options\n  and mount a new proc filesystem on top of the old one as follows:\n  ```\n  $ mount -t proc proc /proc\n  ```\n\n- Run a command in its own mount namespace, see mount_namespaces(7).\n  This isolates mount operations, as long as the propagation type\n  of the mount point is not set to `MS_SHARED`\n  (which is usually the case for `/`).\n\n  In this example we will bind mount `/proc` to `/tmp/foo` in a subshell,\n  without affecting the mount points of the parent shell.\n  To make this example complete,\n  the propagation type of `/` in the parent shell is, initially, `MS_SHARED`,\n  so we will change it to `MS_PRIVATE` before the mount operation\n  to prevent the mount event generated in the subshell\n  to be broadcasted to the parent shell:\n  ```\n  ; mkdir /tmp/foo\n  ; df -T /tmp/foo\n  Filesystem                    Type 1K-blocks     Used Available Use% Mounted on\n  /dev/mapper/x1carbon--vg-root ext4 236298104 16552284 207672860   8% /\n  ; findmnt -o TARGET,PROPAGATION /\n  TARGET PROPAGATION\n  /      shared\n  ; PS1='$ ' sudo isolate -mount sh\n  $ \n  $ #### stop propagating mounts events\n  $ mount --make-rprivate /\n  $ findmnt -o TARGET,PROPAGATION /\n  TARGET PROPAGATION\n  /      private\n  $\n  $ mount --bind /proc /tmp/foo\n  $ df -T /tmp/foo\n  Filesystem     Type 1K-blocks  Used Available Use% Mounted on\n  proc           proc         0     0         0    - /tmp/foo\n  $ exit\n  ;\n  ; #### check that everything is back to normal\n  ; findmnt -o TARGET,PROPAGATION /\n  TARGET PROPAGATION\n  /      shared\n  ; df -T /tmp/foo\n  Filesystem                    Type 1K-blocks     Used Available Use% Mounted on\n  /dev/mapper/x1carbon--vg-root ext4 236298104 16552284 207672860   8% /\n  ```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falcortesm%2Fisolate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falcortesm%2Fisolate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falcortesm%2Fisolate/lists"}