Container Runtime

Run AI agents in isolated rootless containers. Linux user namespaces, overlayfs, seccomp, and cgroups v2 โ€” zero daemon, zero dependencies.

Overview

scorpiox code runs AI agents inside lightweight Linux containers built from scratch in C. The scorpiox-unshare runtime uses Linux kernel namespaces (PID, mount, user, UTS, network) to create fully isolated environments without requiring root privileges or any container daemon. For macOS and cross-platform use, scorpiox-podman delegates to Podman for OCI-compliant execution.

shell # Run an agent in a container scorpiox --container "Refactor auth module" # Custom image with GPU and port mapping scorpiox --container --image scorpiox-ubuntu --gpu -p 8080:8080 # Podman runtime (macOS/cross-platform) scorpiox --podman --image scorpiox-alpine "Fix build pipeline"

Container Runtimes

๐Ÿ”ง scorpiox-unshare native

scorpiox/scorpiox-unshare.c
Native Linux user namespace containers โ€” zero daemon, zero dependencies. Uses clone() with CLONE_NEW* flags to create isolated namespaces, overlayfs for copy-on-write rootfs, slirp4netns for userspace networking, and cgroups v2 for resource limits.
pid_namespacemount_namespaceuser_namespace uts_namespacenetwork_namespaceoverlayfs seccomp_filtercapability_droppingcgroups_v2 gpu_passthroughoci_image_extractionport_mapping volume_mountspivot_rootslirp4netns privileged_modeentrypoint_scripts
linux-x64linux-arm64

๐Ÿณ scorpiox-podman oci

scorpiox/scorpiox-podman.c
Podman-based container runtime โ€” delegates to podman CLI for OCI-compliant container execution. Supports custom registries, volume mounts, port mapping, environment variables, and host networking. Uses fork+execvp for safe process execution without shell interpolation.
oci_registry_pullvolume_mountsport_mapping environment_variableshost_networkinginteractive_tty auto_removecustom_registry
linux-x64linux-arm64darwin-x64darwin-arm64

โš™๏ธ scorpiox-sdk orchestrator

scorpiox/scorpiox-sdk.c
SDK container orchestration โ€” agent runner that launches containers via scorpiox-unshare (Linux) or scorpiox-wsl (Windows). Manages the full lifecycle: forkpty โ†’ container runtime โ†’ agent execution โ†’ session monitoring. Supports serve mode with REST API, headless agent mode, and TUI mode.
agent_lifecycleforkpty_executionsession_monitoring serve_mode_rest_apicontainer_port_forwarding wsl2_integrationtui_modeheadless_mode
linux-x64linux-arm64darwin-x64darwin-arm64windows-x64

Isolation & Security

scorpiox-unshare applies multiple layers of kernel-level isolation. Each container runs in its own namespace set with seccomp filtering and capability dropping.

๐Ÿ”’ PID Namespace

CLONE_NEWPID

Process ID isolation โ€” container processes get their own PID tree with PID 1 init. Prevents visibility of host processes.

๐Ÿ“ Mount Namespace

CLONE_NEWNS

Filesystem isolation โ€” container gets private mount tree. All mounts are made MS_REC|MS_PRIVATE to prevent propagation to host.

๐Ÿ‘ค User Namespace

CLONE_NEWUSER

UID/GID isolation โ€” maps container root (uid 0) to unprivileged host user. Skipped when running as real root for NFS/CIFS compatibility.

๐Ÿท๏ธ UTS Namespace

CLONE_NEWUTS

Hostname isolation โ€” container gets its own hostname set via sethostname(). Derived from image name.

๐ŸŒ Network Namespace

CLONE_NEWNET

Network isolation โ€” isolated network stack with slirp4netns providing outbound connectivity via tap device at 10.0.2.100. Bypass with --net host.

๐Ÿ’พ OverlayFS

mount("overlay")

Copy-on-write filesystem โ€” rootfs image is read-only lower layer, ephemeral upper layer captures writes. Falls back to bind-mount on older kernels (< 5.11).

๐Ÿ”„ Pivot Root

SYS_pivot_root

Root filesystem switch โ€” atomically swaps container rootfs as new /. Old root is unmounted and detached. proc and sysfs mounted before pivot.

๐Ÿ›ก๏ธ Seccomp BPF

prctl(PR_SET_SECCOMP)

Syscall filtering via BPF โ€” blocks personality() (prevents ASLR disable) and keyctl() (prevents kernel keyring manipulation). Uses PR_SET_NO_NEW_PRIVS.

โšก Capability Dropping

prctl(PR_CAPBSET_DROP)

Drops dangerous Linux capabilities from bounding set. Removes CAP_IPC_LOCK to prevent mlock() memory pinning DoS attacks.

๐Ÿ“Š Cgroups v2

/sys/fs/cgroup/sx-<pid>/

Memory resource limiting via cgroups v2. Per-container cgroup with memory.max limit. Supports human-readable sizes (e.g., 40G, 512M). Cleaned up on exit.

Image Management

OCI-compliant image management with automatic download, extraction, and caching. Images are fetched from the scorpiox distribution server.

shell # List available container images scorpiox --container --list-images # Use a specific image scorpiox --container --image scorpiox-ubuntu # Custom registry SCORPIOX_REGISTRY=https://my-registry.example.com scorpiox --container
SettingValue
Default imagescorpiox-alpine
Image cache~/.scorpiox/images/
Rootfs cache~/.scorpiox/rootfs/
Dist URLhttps://dist.scorpiox.net/container-images/
Registry envSCORPIOX_REGISTRY
FormatOCI (index.json + blobs/sha256 + layered extraction)
Update checkHTTP Content-Length comparison

Networking

Two networking modes: fully isolated with slirp4netns userspace networking, or host mode sharing the host network stack directly.

๐Ÿ”’ Isolated (default)

CLONE_NEWNET + slirp4netns tap device. Container gets 10.0.2.100, DNS at 10.0.2.3. Full outbound connectivity, inbound via port mapping only.

๐ŸŒ Host Networking

Shares host network stack โ€” no CLONE_NEWNET. Enabled with --net host. Container uses host DNS resolver directly.

shell # Port mapping (host:container) scorpiox --container -p 8080:8080 -p 3000:3000 # Auto port resolution (host finds free port) scorpiox --container -p 0+:8080 # Host networking (bypass isolation) scorpiox --container --net host
ParameterDetail
API socket/tmp/sx_slirp_<pid>.sock
Tap devicetap0
Container IP10.0.2.100
DNS10.0.2.3
Max port mappings16
Protocoltcp

Volumes & Mounts

Bind-mount host directories into the container with optional read-only mode. Up to 16 custom mounts plus built-in workspace, persist, and host binary mounts.

shell # Custom volume mount scorpiox --container -v /data/models:/models:ro # Multiple volumes scorpiox --container -v ./src:/workspace -v /tmp/cache:/persist
MountContainer PathDescription
--bind/workspacePrimary workspace bind mount
--persist/persistPersistent cache directory
auto/opt/host-binAuto-binds host scorpiox binaries (read-only)
Volume syntax: -v host:container[:ro] โ€” max 16 custom mounts. Mount flags: MS_BIND | MS_REC. Read-only remount: MS_BIND | MS_REMOUNT | MS_RDONLY.

GPU Passthrough

NVIDIA GPU device passthrough via bind-mounting device nodes into the container. Also bind-mounts host NVIDIA driver libraries from /usr/lib.

shell # Enable GPU passthrough scorpiox --container --gpu "Train the model"
DevicePath
nvidia*/dev/nvidia*
nvidiactl/dev/nvidiactl
nvidia-uvm/dev/nvidia-uvm
nvidia-uvm-tools/dev/nvidia-uvm-tools
dri/*/dev/dri/*

Container Lifecycle

  1. Create โ€” clone() with CLONE_NEW* flags allocates new stack and spawns child process
  2. Start โ€” Parent writes uid_map/gid_map, signals sync_pipe; child sets up rootfs, mounts, pivot_root
  3. Exec โ€” Child process exec's entrypoint script, /bin/bash, or /bin/sh with optional command via -c flag
  4. Stop โ€” Parent waitpid() on child, then cleans up: slirp4netns kill, cgroup removal, work directory removal
  5. Kill โ€” SIGTERM/SIGINT forwarded to child via signal handler; SIGCHLD triggers cleanup

Device & Filesystem Setup

Minimal /dev via tmpfs with bind-mounted host device nodes. Includes devpts for PTY allocation and shared memory tmpfs.

Essential Devices

null ยท zero ยท random ยท urandom ยท tty

Pseudo Filesystems

devpts ยท shm ยท proc ยท sysfs ยท tmpfs /tmp ยท tmpfs /run

Symlinks

/dev/fd ยท /dev/stdin ยท /dev/stdout ยท /dev/stderr ยท /dev/ptmx

Privileged Mode

Skip user namespace with --privileged for full capabilities. Required for NFS/CIFS/FUSE mounts inside containers.

Configuration

Container settings in scorpiox-env.txt:

scorpiox-env.txt # Container runtime SX_CONTAINER=true SX_CONTAINER_IMAGE=scorpiox-alpine SX_CONTAINER_MEMORY=40G # Networking SX_CONTAINER_NET=isolated SX_CONTAINER_PORTS=8080:8080,3000:3000 # Volumes SX_CONTAINER_VOLUMES=/data:/data:ro,./cache:/persist # GPU SX_CONTAINER_GPU=true # Custom registry SCORPIOX_REGISTRY=https://dist.scorpiox.net/container-images/