Mailing list for discussing bubblewrap code
Jeremiah C. Foster
jeremiah.foster at puri.sm
Sat Jun 19 15:17:46 UTC 2021
On Tue, 2021-06-15 at 13:30 +0200, Marc Gonzalez wrote:
> > bubblewrap is a nice tool for setting up a sandbox, but it is very
> > very raw. It's basically a zero-abstraction CLI interface to the
> > kernel apis for sandboxing. So, you have to know a lot of how
> > those
> > work to use the tool.
>
>
> I am willing to invest time to understand namespaces and bind mounts.
> (I have been reading up on these concepts for a few weeks.)
As an aside, Michael Kerrisk has a course on the various kernel parts
that make up the isolation apis (namespaces, cgroups, etc.) that I've
taken and can recommend. In addition, he's published a great deal of
documentation on LWN which you may find helpful.[1]
For the case you mention regarding ownership of the nested containers,
I would look at cgroups2 which has some logic that controls ownership
of isolated namespaces and the requisite capabilities for controling
the same.
Cheers,
Jeremiah
1. https://lwn.net/Articles/531114/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Namespaces in operation, part 1 namespaces overview.pdf
Type: application/pdf
Size: 84396 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20210619/36eddfc4/attachment-0001.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20210619/36eddfc4/attachment-0001.sig>
More information about the Flatpak
mailing list