For the open-source windmill project, we need to support sandboxing of typescript (deno) and python. For deno we could have just relied on v8 isolate and deno layer of isolation. But for Python we could not anyway so we had to come up with a common solution. We chose nsjail in the end and it works really well. All the config files are here: https://github.com/windmill-labs/windmill/tree/main/nsjail and this is how it is spawned from within the Rust worker: https://github.com/windmill-labs/windmill/blob/main/backend/...
Happy to expand more of my experience of making this work at scale.
Happy to expand more of my experience of making this work at scale.