The introduction of user namespaces in the Linux kernel has opened the
doors to running containers as default user logins via e.g. ssh or desktop.
On Fedora, bwrap-oci lets you make use of this feature, as I will
The concept behind user namespaces is quite simple: UIDs and GIDs in
a user namespace are converted to a different set in the parent
namespace, so that an application thinks it’s executed as root while
instead a non-privileged user is running it.
User namespaces are not limited to altering an application’s UID/GID
mappings, a user can keep capabilities in the new namespace and
together with other namespaces perform privileged operations there
that are unprivileged in the parent namespace. For example, an
application with a new network namespace can create firewall rules
that only affect its namespace. This offers extra security since the
container is limited to the user that is running it, so even if
something goes wrong the process has no more privileges than the user
who runs it (unless things go very wrong!).
Read More »