[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[atomic-devel] Introducing bubblewrap


A few of us have been prototyping out in the background a new tool:

It came out of the situation that:
 - User namespaces (CLONE_NEWNS) are currently disabled
   for unprivileged users e.g. CentOS 7 and Red Hat Enterprise Linux 7
 - The desktop wants unprivileged (but secure) container access, and
   we also want it for several server side use cases, such as build systems.
   I definitely want it by default for rpm-ostree.

Now because we're not very good at these things, it was imported
into projectatomic/ without public discussion, but better late then

An most notably, it's already been covered in LWN:


Currently it is not part of a product and has not has a rigorous
review from a security team.  However, I believe our approach
is good, and if anyone wants a peer-reviewed setuid binary
for container features, it's worth considering bubblewrap!

It builds on CentOS 7 today, and is already part of our
gitoverlay builds:


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]