[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[atomic-devel] Introducing bubblewrap
- From: Colin Walters <walters verbum org>
- To: atomic-devel projectatomic io
- Subject: [atomic-devel] Introducing bubblewrap
- Date: Thu, 05 May 2016 10:18:21 -0400
Hi,
A few of us have been prototyping out in the background a new tool:
https://github.com/projectatomic/bubblewrap
It came out of the situation that:
- User namespaces (CLONE_NEWNS) are currently disabled
for unprivileged users e.g. CentOS 7 and Red Hat Enterprise Linux 7
- The desktop wants unprivileged (but secure) container access, and
we also want it for several server side use cases, such as build systems.
I definitely want it by default for rpm-ostree.
Now because we're not very good at these things, it was imported
into projectatomic/ without public discussion, but better late then
never!
An most notably, it's already been covered in LWN:
https://lwn.net/Articles/685374/
Currently it is not part of a product and has not has a rigorous
review from a security team. However, I believe our approach
is good, and if anyone wants a peer-reviewed setuid binary
for container features, it's worth considering bubblewrap!
It builds on CentOS 7 today, and is already part of our
gitoverlay builds:
https://github.com/cgwalters/continuous-atomic-overlay/commit/daeaae466a719e3a4285659a1124030c00454262
https://ci.centos.org/job/atomic-rdgo-centos7/
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]