Sandboxing data crunches, chapter 3: containerize

User namespace

“Easy” namespaces

Mount Namespace

The overlayfs-chroot filesystem restricts a process to only read files we supply and only write to a single file.
Steps to create our chroot filesystem

Network Namespace

  • Good thing we used chroot (though unmount would be better): now Step can have a different /etc/resolv.conf. (Workbench’s Step process uses external DNS: and
  • Good thing we disallow concurrent Step processes per Renderer: now we can hard-code a network-interface name. (Network-interface names must be unique in the Renderer network namespace.)
  • Good thing we made an init script for setting up our chroot. That init script is the perfect place to write our iptables rules. (The rules never change because we hard-coded our network-interface names.)
The crux of Workbench’s network-namespace logic




Journalist, ex software engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to install an SSL Certificate on Tableau Server?

Memory library in Kernel

Google Summer of Code: Week 10

How to design a thread pool?

How to create your own custom user model in Django?

My Lessons So Far In SCA Mentorship Cohort 2.

Aim 1.3.8 — Enhanced Table and Advanced Group Coloring

Big Data Arrays with Python

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Hooper

Adam Hooper

Journalist, ex software engineer

More from Medium

[Solved] Pytest Error: ImportError: Error importing plugin ‘’: No module named …

Python & Oracle Database Connection — A Simple Guide for Dataframe Creation

Lambda in Python

Unit Testing in Python-Unittest