← Back to Labs

Build a container, one primitive at a time

Toggle namespaces, drop capabilities, set cgroup limits, and pivot the root. Nothing here is simulated: every action maps to a real kernel call.

HOSTCONTAINERnamespacesPID (shared)Mount (shared)Network (shared)UTS (shared)IPC (shared)User (shared)Cgroup (shared)capabilities (dropped shown faded)SYS_ADMINNET_ADMINSYS_MODULESYS_TIMESYS_PTRACENET_RAWNET_BIND_SERVICECHOWNcgroup limitsmemory.max = unlimitedcpu.max = 100%seccomp: offpivot_root: pending
0/100isolation

Start from a bare process that shares everything with the host. Unshare namespaces, drop capabilities, pivot root, and watch the isolation score climb.

Shortcuts: C preset · P pivot · S seccomp · L launch · X reset
Tap toggles to shape the sandbox.
Read the full article →Take the quiz →