Project News

Unprivileged containers with bwrap-oci and bubblewrap

The introduction of user namespaces in the Linux kernel has opened the doors to running containers as default user logins via e.g. ssh or desktop. On Fedora, bwrap-oci lets you make use of this feature, as I will demonstrate.

The concept behind user namespaces is quite simple: UIDs and GIDs in a user namespace are converted to a different set in the parent namespace, so that an application thinks it’s executed as root while instead a non-privileged user is running it. User namespaces are not limited to altering an application’s UID/GID mappings, a user can keep capabilities in the new namespace and together with other namespaces perform privileged operations there that are unprivileged in the parent namespace. For example, an application with a new network namespace can create firewall rules that only affect its namespace. This offers extra security since the container is limited to the user that is running it, so even if something goes wrong the process has no more privileges than the user who runs it (unless things go very wrong!).

Read More »

Fedora Atomic 26 Released

Fedora Atomic 26 is now generally available. This contains updated package versions to match all of the content in Fedora Server 26, as well as updates to the container platforms. While we release updates every 2 weeks, this release contains a collection of major improvements including:

  • latest rpm-ostree with improvements in package layering
  • default to Overlay2 filesystem for better container storage
  • Docker version 1.13.1
  • Latest versions of Cockpit and Atomic CLI

We’re all very excited about the steps forward Atomic Host is taking with this major release. We hope you’re just as excited to try them. Read on for information about software, upgrading, and more.

Read More »