[kondu]

Docker containers aren't safe enough to run untrusted code, there are privilege escalation vulnerabilities reported fairly often.

[curt15]

The common wisdom used to be that containers are not a security boundary. Is that still the case?

[AlexCoventry]

I don't think bubblewrap is any better in that regard.

[purplehat_]

Why do you say that?

Bubblewrap is a it's a very minimal setuid binary. It's 4000 lines of C but essentially all it does is parse your flags ask the kernel to do the sandboxing (drop capabilities, change namespaces) for it. You do have to do cgroups yourself, though. It's very small and auditable compared to docker and I'd say it's safer.

If you want something with a bit more features but not as complex as docker, I think the usual choices are podman or firejail.

[AlexCoventry]

Thanks for the pushback, I will take a look.

[exceptione]

bwrap just works in rootless mode and doesn't tamper with your firewall.