This would be a great option to run unsafe code. Using python to run basic tasks in LLM-based architectures is becoming very popular. This requires running code generated by LLMs.
While we could use actual docker container and marshal data between them, pyspaces look like a much better solution to create containers on the fly (basic namespaces) and run a code there.

After pip install pyspaces

adminuser@adminuser-VirtualBox:~/git/_test$ space chroot --pid --uid '0 1000 1' ~/.local/share/lxc/ubuntu/rootfs/ /bin/ls /home/

Traceback (most recent call last): File "/usr/local/bin/space", line 9, in <module> load_entry_point('pyspaces==1.2.2', 'console_scripts', 'space')() File "/usr/local/lib/python2.7/dist-packages/pyspaces/cli.py", line 99, in cli args.func(args, extra) File "/usr/local/lib/python2.7/dist-packages/pyspaces/cli.py", line 142, in chroot c.start() File "/usr/lib/python2.7/multiprocessing/process.py", line 130, in start self._popen = Popen(self) File "/usr/local/lib/python2.7/dist-packages/pyspaces/cloning.py", line 102, in __init__ 'Can not execute clone' RuntimeError: Can not execute clone

Any update, deprecated or no need to upgrade?

I want to use your project to jail processes instead of Docker

mysys / # mount | grep /mnt
mysys / # python2.7 /usr/bin/space execute --pid --mnt bash -c 'mount -t tmpfs tmpfs /mnt'
mysys / # mount | grep /mnt
tmpfs on /mnt type tmpfs (rw,relatime)

From the above experiment, we can see that the /mnt mount is not isolated in the "mount namespace" of the new process.

compare to unshare, which behaves correctly:

mysys / # mount | grep /mnt
mysys / # unshare -m bash -c 'mount -t tmpfs tmpfs /mnt'
mysys / # mount | grep /mnt

It is very ugly to call "unshare" in my python script compared to the pyspaces.Container API.
Although the experiment is done with CLI, but I know the API behaves the same.

fpemud@l02107b ~/workspace/strict_pgs $ space execute -v --pid --mnt --user --uid 1000 --gid 1000 bash -c 'mount -t proc /proc; ps ax'
Traceback (most recent call last):
  File "/usr/bin/space", line 9, in <module>
    load_entry_point('pyspaces==1.4', 'console_scripts', 'space')()
  File "/usr/lib64/python3.3/site-packages/pyspaces/cli.py", line 133, in cli
    args.func(args, extra)
  File "/usr/lib64/python3.3/site-packages/pyspaces/cli.py", line 152, in execute
    all=args.all
  File "/usr/lib64/python3.3/site-packages/pyspaces/process.py", line 188, in __init__
    for k in getargspec(Process.__init__).args:
  File "/usr/lib64/python3.3/inspect.py", line 826, in getargspec
    raise ValueError("Function has keyword-only arguments or annotations"
ValueError: Function has keyword-only arguments or annotations, use getfullargspec() API which can support them

The error disappears after I change getargspec to getfullargspec.
Is it a bug? Should I submit a pull request?

mysys / # mount | grep /mnt
mysys / # python2.7 /usr/bin/space execute --mnt bash -c 'mount -t tmpfs tmpfs /mnt'
mysys / # mount | grep /mnt
tmpfs on /mnt type tmpfs (rw,relatime)

From the above experiment, we can see that the /mnt mount is not isolated in the "mount namespace" of the new process.

unshare behaves correctly on my system:

mysys / # mount | grep /mnt
mysys / # unshare -m bash -c 'mount -t tmpfs tmpfs /mnt'
mysys / # mount | grep /mnt

It is very ugly to call "unshare" in my python script compared to the pyspaces.Container API.
Although the experiment is done with CLI, but I know the API behaves the same.