Bubblewrap Container

The bubblewrap container uses the bubblewrap utility to create a new kernel namespace and runs the requested binary in this sandbox isolated from the rest of the system. This is the base technology used in the Linux Flatpak ecosystem. See the Bubblewrap Container Example for an example setup with test applications.

At least bubblewrap version 0.5 needs to be installed on the target system. Using the latest upstream release is recommended though.

The bubblewrap container is built as a plugin and loaded, but not enabled by default. It can be configured in the application manager's config file using its unique ID: bubblewrap:

containers:
  bubblewrap:
    unshareNetwork: no
    bindMountHome: yes
    configuration:
      symlink:
        usr/lib: '/lib'
        usr/lib64: '/lib64'
        usr/bin: [ '/bin', '/sbin' ]
      ro-bind:
        /usr/bin: '/usr/bin'
        /usr/lib: '/usr/lib'
        /usr/lib64: '/usr/lib64'
        /etc: '/etc'
        /usr/share/fonts: '/usr/share/fonts'
        /usr/share/fontconfig: '/usr/share/fontconfig'
        /usr/share/ca-certificates: '/usr/share/ca-certificates'
        /sys/dev/char: '/sys/dev/char'
        ${CONFIG_PWD}/imports: '${CONFIG_PWD}/imports'
      ro-bind-try:
        '/sys/devices/pci0000:00': '/sys/devices/pci0000:00'
        /usr/share/glvnd/egl_vendor.d: '/usr/share/glvnd/egl_vendor.d'
        /usr/share/X11/xkb: '/usr/share/X11/xkb'
        /run/resolvconf: '/run/resolvconf'
      dev: '/dev'
      dev-bind:
        /dev/dri: '/dev/dri'
      tmpfs:
        /tmp
      proc:
        /proc

The bubblewrap container accepts the following configuration settings:

Settings Name	Type	Description
`bwrap-location`	string	The path to the `bwrap` binary. If no path is configured the standard `$PATH` is used to find the executable.
`configuration`	object	A two-stage mapping object to configure the sandboxing of the plugin. The top-level `keys` are translated into options passed to the bubblewrap binary. The values themselves are used as arguments for those options. Here is an example configuration: configuration: symlink: usr/lib: '/lib' usr/lib64: '/lib64' usr/bin: [ '/bin', '/sbin' ] ro-bind: /usr/bin: '/usr/bin' /usr/lib: '/usr/lib' /usr/lib64: '/usr/lib64'
`bindMountHome`	bool	Mounts the whole Home directory of the current user into the container. This can be used for development purposes. (default: false)
`unshareNetwork`	string	Network configuration of the container. When configured as `yes` (default), no network is shared into the container. With `no`, the full host network is shared. For a more detailed configuration a path to a shell script can be set. The shell script is executed when the container starts and stops. See Bubblewrap Container Example for an example script.

© 2023 The Qt Company Ltd. Documentation contributions included herein are the copyrights of their respective owners. The documentation provided herein is licensed under the terms of the GNU Free Documentation License version 1.3 as published by the Free Software Foundation. Qt and respective logos are trademarks of The Qt Company Ltd. in Finland and/or other countries worldwide. All other trademarks are property of their respective owners.