30 open-source projects similar to ioi/isolate, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Isolate alternative.
Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi
Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open Container Initiative specifications. It serves as an execution engine that can function as a rootless container manager or a pluggable Kubernetes CRI runtime to manage pods and containers within a cluster. The project distinguishes itself by providing a Wasm container runtime capable of executing WebAssembly modules as isolated workloads compatible with standard orchestration tools. It further supports a rootless execution model, allowing isolated environments to start as non-
Bubblewrap is an unprivileged sandbox execution utility for Linux that isolates processes from the host system. It creates secure environments by leveraging Linux namespaces to separate system resources, including network, PID, and IPC stacks. The project distinguishes itself by enabling the execution of untrusted software without requiring root privileges on the host machine. It prevents privilege escalation by disabling the execution of setuid binaries and uses user identity mapping to isolate process permissions from the host operating system. The tool manages a comprehensive security sur
Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access. The project provides comprehensive process isolation by giving each sandbox its own private tmpfs root with selective bind-mounts, a separate network stack containing only a loopback interface, an independent process ID space, and remapped user and group identifiers. It applies secc
crun is a low-level container runtime that implements the Open Container Initiative specification for managing the lifecycle of isolated processes. It provides the core mechanisms for container creation, execution, and deletion, ensuring compatibility across platforms through standardized lifecycle management. The project distinguishes itself by offering a shared C library that allows container runtime operations to be embedded directly into other compiled applications. It further extends execution capabilities through specialized handlers that enable the deployment of containers within isola
Flatpak is a sandboxed application framework and standardized packaging format for Linux desktop applications. It functions as a distribution system that allows a single application bundle to run consistently across multiple Linux operating systems without requiring per-distribution builds. The project provides a runtime dependency manager that bundles specific library versions or shared runtimes to create predictable execution environments. It includes a sandbox permission manager to control application access to system hardware and resources, ensuring security and consistent behavior betwee
Sandstorm is an open-source platform that packages and runs web applications in security-hardened sandboxes on a personal server, functioning as a self-hosted web app operating system. It provides a curated app store where users discover and install sandboxed web applications with one-click ease, while each application runs in an isolated container that uses Linux kernel security features to separate it from the host and other apps. The platform includes a centralized authentication layer so users sign in once and gain access to all installed applications without managing separate accounts per
Dify-sandbox is a secure runtime environment designed for the execution of untrusted code snippets. It functions as a containerized sandbox that isolates processes from the host operating system, ensuring that arbitrary scripts can be run without granting them unauthorized access to sensitive data or critical system resources. The project distinguishes itself through a multi-layered security approach that combines kernel-level isolation with strict resource management. By utilizing Linux namespaces and container-based process isolation, it partitions system resources to maintain visibility bo
Docker CE is an OCI compliant container platform and runtime engine used for building and running applications within isolated environments. It functions as a Linux container orchestrator and provides a command-line interface to manage the entire lifecycle of running application instances. The platform enables containerized application deployment and cross-platform software distribution by packaging software with its dependencies. It supports microservices architecture management and the creation of reproducible local development environments. The system includes capabilities for application
LXC is an OS-level virtualization framework and Linux container manager used to run multiple isolated Linux systems on a single host. It functions as a kernel namespace orchestrator and unprivileged container runtime, allowing for the creation and management of system containers without the overhead of a hypervisor. The project provides unprivileged container execution by mapping container root users to unprivileged host users to prevent host system access. It ensures security through system call filtering and root user isolation, enabling containers to run without requiring host root privile
Lunatic is a WebAssembly runtime and concurrent process manager that implements an Erlang-inspired model of lightweight concurrency and fault tolerance. It functions as a distributed actor system where isolated processes communicate via message passing across a network of linked nodes. The system utilizes a WebAssembly sandbox environment to isolate memory and restrict system call permissions for each individual process. This capability-based security model ensures that processes are sandboxed to safely execute untrusted code. The platform provides a fault-tolerant supervision tree for hiera
This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an indepen
Docker is an OCI container engine and runtime orchestrator used to build, run, and manage isolated applications. It functions as a container image builder for creating portable snapshots of applications and a registry manager for storing, versioning, and distributing those images across environments. The platform provides a centralized daemon to control the creation, execution, and termination of containerized workloads. It allows for the assembly of modular container systems by combining build tools, registries, and runtimes. Its core capabilities cover container image creation, registry ad
F Prime is a component-based framework designed for the development and deployment of embedded and spaceflight software. It provides a modular architecture that decouples software logic from communication interfaces, allowing developers to define system structures through a domain-specific modeling language. This model-based approach enables automated code generation, ensuring consistency across complex system topologies while maintaining strict interface contracts between software modules. The framework distinguishes itself through its integrated build system and ground data operations suite
This project is a Docker educational resource and a collection of practical examples designed for learning containerization technologies. It serves as a guide for understanding container fundamentals, including the creation and management of custom images and the use of registries. The repository provides specialized references for container security hardening, such as managing kernel privileges and implementing supply chain security. It also includes tutorials for multi-container orchestration and a DevOps guide focused on CI/CD automation and image optimization. The material covers a broad
This project is a comprehensive educational resource and curriculum focused on site reliability engineering, distributed systems, and infrastructure operations. It provides technical guides, a systems engineering course, and instructional manuals designed to teach the principles of managing large-scale computing environments. The curriculum covers high-level architectural design for scalability and resilience, including fault-tolerant infrastructure, high-availability patterns, and microservices decomposition. It emphasizes the practical application of site reliability engineering through the
Microsandbox is a microVM sandbox runtime and hardware-isolated code executor designed for running untrusted code. It functions as an embedded virtual machine manager that allows applications to spawn and control lightweight virtual machines directly within code without the need for a background daemon. The system provides a secure execution environment for AI agents by exposing server controls that allow them to execute tools and manage files. It utilizes standard container image formats and volume workflows to initialize guest virtual machines and implements a secret management mechanism th
Microsandbox is a runtime for creating and managing lightweight, hardware-isolated virtual machines — called sandboxes — that boot directly from standard OCI container images. Each sandbox runs as its own host process with a separate kernel, filesystem, and network stack, providing process-per-sandbox isolation. The project includes a command-line tool and multi-language SDKs (Rust, TypeScript, Python, Go) for programmatic lifecycle control, and it communicates with sandbox agents over Unix sockets using a CBOR-encoded protocol. What distinguishes Microsandbox is its combination of host-manag
Toolbox is a development workspace orchestrator and container environment manager that bootstraps mutable toolsets and SDKs inside containers. It functions as a Linux distribution sandbox and a host-integrated container runtime, allowing users to run native package managers and software without modifying the host operating system. The project differentiates itself by bridging isolated containers with the host system through the mapping of user identities, network sockets, and home directories. It utilizes a daemonless engine to provide these environments while ensuring that system configurati
x11docker is an OCI container GUI orchestrator and hardware bridge designed to execute graphical applications and full desktop environments inside containers. It functions as a Linux GUI sandbox, linking containerized processes to host X11 or Wayland display servers and audio systems. The project differentiates itself by providing deep system integration for hardware acceleration, including NVIDIA driver automation and GPU passthrough. It supports cross-architecture GUI emulation and provides remote access capabilities through VNC, SSH forwarding, and browser-based HTML5 rendering. The tool
This project is a JVM testing framework that provides a foundation for defining and running automated tests using a pluggable engine architecture. It functions as a JVM test orchestrator and a modular test engine API, allowing multiple testing engines to be grouped and executed as a single coordinated unit. The framework includes a platform launcher for discovering and executing test suites from build systems, integrated development environments, or the command line. It enables the creation of custom testing frameworks through a standardized interface that integrates into a shared execution p
Jest is a JavaScript testing framework that integrates a test runner, an assertion library, and a snapshot testing tool. Its primary purpose is to provide a comprehensive environment for writing and running automated JavaScript tests to verify software correctness. The framework is distinguished by its snapshot testing capabilities, which capture the state of large objects or rendered components to detect regressions over time. It also features a reactive watch mode that monitors file changes and automatically executes only the tests related to modified code. The project covers a broad range
This project is an OS-level process sandbox and cross-platform security wrapper for Linux and macOS. It is designed to isolate arbitrary processes from the host machine by restricting filesystem and network access without the use of full containerization. The system functions as a system-call interceptor and access controller, blocking unauthorized operating system calls based on predefined security policies. It employs allowlists and denylists to manage resource requests and monitors for security violations in real time. Capability areas include filesystem access management using glob-patte
This project is an educational platform and tutorial series designed to teach the Go programming language through the practice of test-driven development. It provides a structured path for developers to master language fundamentals, concurrency, and standard library usage by building functional applications in small, verifiable increments. The core methodology centers on the test-driven development cycle, where failing tests are written before implementation to define requirements and ensure code correctness. This approach is applied across a wide range of practical scenarios, including the c
Faker is a Python library designed to generate realistic synthetic data for software testing, database prototyping, and privacy-preserving anonymization. It provides a comprehensive suite of tools to create diverse information types, including personal identities, financial records, geographic locations, and technical system metadata, allowing developers to populate environments with mock data that mimics real-world structures. The library is built on a modular provider architecture that supports dynamic method dispatch, enabling users to extend functionality by registering custom data genera
Robot Framework is a keyword-driven automation framework designed for acceptance testing and robotic process automation. It utilizes a human-readable, tabular syntax to define test cases and workflows, separating the automation logic from the underlying implementation. By mapping plain-text keywords to executable commands, the framework enables the creation of maintainable and reusable automation sequences. The platform distinguishes itself through a modular architecture that supports the integration of custom libraries and external modules. This extensibility allows users to expand the frame
Spin is a WebAssembly serverless framework and development toolchain for building and running portable microservices. It functions as an event-driven orchestrator and runtime that executes WebAssembly components, allowing developers to map HTTP requests, Redis messages, and cron schedules to specific modules. The project distinguishes itself by implementing a Wasm-based AI inference gateway, enabling components to perform model inference and generate text embeddings. It utilizes the WebAssembly Component Model and WASI for language-agnostic composition and portable host interfacing, while emp
Apache Mesos is a distributed systems kernel and cluster resource manager that abstracts CPU, memory, and storage across a pool of nodes. It functions as a distributed infrastructure orchestrator, providing a layer to run multiple orchestration frameworks on a shared set of physical or virtual machines. The system acts as a resource isolation engine, dividing a shared cluster into isolated containers to run diverse workloads concurrently. It enables multi-framework orchestration, allowing different distributed application frameworks to share a single infrastructure to maximize hardware utiliz
JupyterLite is a WebAssembly-based interactive notebook environment that enables browser-based computing without a backend server. It provides a client-side data science sandbox where users can execute programming language kernels and run interactive notebooks entirely within the web browser. The project allows for the creation of tailored distributions by pre-installing specific language packages, bundling custom wheels, and applying environment configurations. It supports the generation of static sites that can be deployed to any standard HTTP host, including the ability to package the envi