forked from containers/bubblewrap
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
In discussion in containers#150 it was noted that most of the bwrap command line tends towards "closed by default, request open". But the `--unshare` options are inverse. Now, I suspect in practice there's only one namespace that most users will care about, which is the network namespace. There are very useful programs to build on both cases. I think everything else (pid, ipc, uts) people will want as a group. Any cases that are unusual enough to want to turn one of them off can still fall back to the previous bwrap behavior of explicitly unsharing. They're likely to be security sensitive enough that if a new namespace were added, it would make sense to evaluate the tool. But again I think most users will want all namespaces, with the network one as a primary "enable it" option.
- Loading branch information
Showing
2 changed files
with
27 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters