envdeploy is a web server that runs and provides access to multiple instances of a web application. Given a web application which is written to serve one user only, envdeploy can serve such application to multiple users by running a separate instance of the application for each user. The primary use-case is encapsulating Jupyter notebooks, although the approach taken is quite general and should be widely compatible.
Underneath, envdeploy runs an instance of the application by spawning the application's entry system process in its own cgroup and a separate Linux network namespace. It also reserves an URL path prefix for the instance and proxies any requests matching that prefix to the HTTP server in the network namespace of the instance. cgroups provide tight control over the system processes comprising an instance of the application and allow for safe clean-up of the instance. Network namespaces isolate the inner HTTP servers of each instance without the need for allocation of distinct ports. A veth device pair is set up between the instance's and host network namespaces and by supplying appropriate routing rules, the application's network namespace can be connected to the Internet.
envdeploy can complement a containerization tool such as systemd-nspawn to spawn instances in containers. In such a scenario, envdeploy is responsible for network isolation and lifecycle management, while the other tool provides the remaining isolation by entering new namespaces in domains other than networking. It suffices to use the containerization tool in the application launch script supplied to envdeploy. Nonetheless it is not necessary to involve containers to use envdeploy.
In case of interest in setting up or further developing envdeploy, let me know at nickname@protonmail.com.