Run AI agents in isolated rootless containers. Linux user namespaces, overlayfs, seccomp, and cgroups v2 โ zero daemon, zero dependencies.
scorpiox code runs AI agents inside lightweight Linux containers built from scratch in C. The scorpiox-unshare runtime uses Linux kernel namespaces (PID, mount, user, UTS, network) to create fully isolated environments without requiring root privileges or any container daemon. For macOS and cross-platform use, scorpiox-podman delegates to Podman for OCI-compliant execution.
scorpiox-unshare applies multiple layers of kernel-level isolation. Each container runs in its own namespace set with seccomp filtering and capability dropping.
Process ID isolation โ container processes get their own PID tree with PID 1 init. Prevents visibility of host processes.
Filesystem isolation โ container gets private mount tree. All mounts are made MS_REC|MS_PRIVATE to prevent propagation to host.
UID/GID isolation โ maps container root (uid 0) to unprivileged host user. Skipped when running as real root for NFS/CIFS compatibility.
Hostname isolation โ container gets its own hostname set via sethostname(). Derived from image name.
Network isolation โ isolated network stack with slirp4netns providing outbound connectivity via tap device at 10.0.2.100. Bypass with --net host.
Copy-on-write filesystem โ rootfs image is read-only lower layer, ephemeral upper layer captures writes. Falls back to bind-mount on older kernels (< 5.11).
Root filesystem switch โ atomically swaps container rootfs as new /. Old root is unmounted and detached. proc and sysfs mounted before pivot.
Syscall filtering via BPF โ blocks personality() (prevents ASLR disable) and keyctl() (prevents kernel keyring manipulation). Uses PR_SET_NO_NEW_PRIVS.
Drops dangerous Linux capabilities from bounding set. Removes CAP_IPC_LOCK to prevent mlock() memory pinning DoS attacks.
Memory resource limiting via cgroups v2. Per-container cgroup with memory.max limit. Supports human-readable sizes (e.g., 40G, 512M). Cleaned up on exit.
OCI-compliant image management with automatic download, extraction, and caching. Images are fetched from the scorpiox distribution server.
| Setting | Value |
|---|---|
| Default image | scorpiox-alpine |
| Image cache | ~/.scorpiox/images/ |
| Rootfs cache | ~/.scorpiox/rootfs/ |
| Dist URL | https://dist.scorpiox.net/container-images/ |
| Registry env | SCORPIOX_REGISTRY |
| Format | OCI (index.json + blobs/sha256 + layered extraction) |
| Update check | HTTP Content-Length comparison |
Two networking modes: fully isolated with slirp4netns userspace networking, or host mode sharing the host network stack directly.
CLONE_NEWNET + slirp4netns tap device. Container gets 10.0.2.100, DNS at 10.0.2.3. Full outbound connectivity, inbound via port mapping only.
Shares host network stack โ no CLONE_NEWNET. Enabled with --net host. Container uses host DNS resolver directly.
| Parameter | Detail |
|---|---|
| API socket | /tmp/sx_slirp_<pid>.sock |
| Tap device | tap0 |
| Container IP | 10.0.2.100 |
| DNS | 10.0.2.3 |
| Max port mappings | 16 |
| Protocol | tcp |
Bind-mount host directories into the container with optional read-only mode. Up to 16 custom mounts plus built-in workspace, persist, and host binary mounts.
| Mount | Container Path | Description |
|---|---|---|
| --bind | /workspace | Primary workspace bind mount |
| --persist | /persist | Persistent cache directory |
| auto | /opt/host-bin | Auto-binds host scorpiox binaries (read-only) |
-v host:container[:ro] โ max 16 custom mounts. Mount flags: MS_BIND | MS_REC. Read-only remount: MS_BIND | MS_REMOUNT | MS_RDONLY.
NVIDIA GPU device passthrough via bind-mounting device nodes into the container. Also bind-mounts host NVIDIA driver libraries from /usr/lib.
| Device | Path |
|---|---|
| nvidia* | /dev/nvidia* |
| nvidiactl | /dev/nvidiactl |
| nvidia-uvm | /dev/nvidia-uvm |
| nvidia-uvm-tools | /dev/nvidia-uvm-tools |
| dri/* | /dev/dri/* |
clone() with CLONE_NEW* flags allocates new stack and spawns child process/bin/bash, or /bin/sh with optional command via -c flagwaitpid() on child, then cleans up: slirp4netns kill, cgroup removal, work directory removalMinimal /dev via tmpfs with bind-mounted host device nodes. Includes devpts for PTY allocation and shared memory tmpfs.
null ยท zero ยท random ยท urandom ยท tty
devpts ยท shm ยท proc ยท sysfs ยท tmpfs /tmp ยท tmpfs /run
/dev/fd ยท /dev/stdin ยท /dev/stdout ยท /dev/stderr ยท /dev/ptmx
Skip user namespace with --privileged for full capabilities. Required for NFS/CIFS/FUSE mounts inside containers.
Container settings in scorpiox-env.txt: