Works with Linux namespaces through glibc with pure python

License Latest Version Downloads Docs

discuss: reddit, habrahabr


There is so many beautiful tools like docker, rocket and vagga written in go and rust, but none in python. I think that is because there is no easy way to work with linux namespaces in python:

  • you can use asylum - a project that looks dead and with a codebase hosted not on mainstream hub like github
  • or you can use the python-libvirt bindings with a big layer of abstraction
  • or just use the native glibc library with ctypes
  • otherwise subprocess.Popen -- your choice

I want to change this: I want to create native python bindings to glibc with interface of python multiprocessing.Process.

PS: you can look at python-nsenter too, it's looks awesome.

PPS: new project from author of asylum - butter


First simple example:

import os
from pyspaces import Container

def execute(argv):
    os.execvp(argv[0], argv)

cmd = "mount -t proc proc /proc; ps ax"
c = Container(target=execute, args=(('bash', '-c', cmd),),
              uid_map='0 1000 1',
              newpid=True, newuser=True, newns=True
print("PID of child created by clone() is %ld\n" %
print("Child returned: pid %s, status %s" % (, c.exitcode))


PID of child created by clone() is 15978

1   pts/19   S+     0:00 bash -c mount -t proc proc /proc; ps ax
3   pts/19   R+     0:00 ps ax

Child returned: pid 15978, status 0


space execute -v --pid --mnt --user --uid 1000 --gid 1000 bash -c 'mount -t proc /proc; ps ax'
space chroot --pid --uid '0 1000 1' ~/.local/share/lxc/ubuntu/rootfs/ /bin/ls /home/
space inject --net --mnt 19840 bash

Note: If the program you're trying to exec is dynamically linked, and the dynamic linker is not present in /lib in the chroot environment - you will get the following error: "OSError: [Errno 2] No such file or directory". You need all the other files the dynamic-linked program depends on, including shared libraries and any essential configuration/tables/etc in the new root directories. src


Read this article please


on github


  • [x] namespaces: clone & Container
  • [x] CLI
  • [x] Chroot
  • [x] setns & inject
  • [ ] cgroups
  • [ ] SCM: apparmor & selinux
  • [ ] capabilities
  • [ ] mount
  • [ ] network
  • [ ] move CLI to separate package
  • [ ] addons
  • [ ] container list
  • [ ] support for lxc, vagga, rocket, docker, etc...
  • [ ] ...
  • [ ] one tool for rule them all!!1