bubblewrap VS podman

Nothing nix specific but you may be interested in https://github.com/containers/bubblewrap

Recently, I came across Chainguard and wrote the article How to build Docker Images with Melange and Apko. As a fervent supporter of Kubernetes and GitLab CI, I was eager to experiment with building images using Melange in this particular setup. GitLab's shared Runners work seamlessly with Bubblewrap, eliminating the need for additional configurations. This post is intended for enthusiasts like myself, interested in hosting their own Kubernetes Runners and leveraging the Kubernetes Runner Type of Melange.

```

This is basically manually invoking what Flatpak does:

https://github.com/containers/bubblewrap

This is also useful for more than just security. E.G., you can test how your app would behave on a fresh install by masking your user configuration files. I personally also have a tool that uses it to basically bundle all dependencies from an entire Linux distribution in order to make highly portable AppImages— Been meaning to post that, will get around to it eventually maybe.

The flags above should hide your user data (`--tmpfs`), disable network access (`--unshare-all`), hide/virtualize devices and OS state (`--dev` and `--proc`), and make the rest of the root filesystem read-only (`--ro-bind`­— Including the insecure X11 socket in `/tmp`, which you might want to expose for GUI apps).

Check them against `bwrap --help`; I might have omitted one or two more things you'd need.

While trying to find out more comparison information, found this light on details issue:

https://github.com/containers/bubblewrap/issues/81

It mentions nsjail and minijail.

Example of why: https://github.com/containers/podman/issues/5102#issuecommen...

Podman

Even though we will focus on Docker for this article, I wanted to mention that there are more container creation and management tools such as Podman, Rkt, and so on.

By using containerization, the application will always have the same configuration that is used in the development environment and production environment. There is no more "It works on my machine". Some examples of containerization technologies are Docker and Podman.

Podman Documentation. Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System.

AFAIK podman either already supports pods in quadlet container files, or will in the near future. https://github.com/containers/podman/pull/20762

Podman as a devcontainers engine doesn't currently work if you use devcontainer features [1] or (and this sounds like you're issue) if you use WSL2.

I haven't submitted the WSL2 issue to the Podman team yet. If you get to it before I do, can you like it here?

https://github.com/containers/podman/issues/18691#issuecomme...

You can also use their Oracle Linux Docker images with the database preinstalled using either Podman or Docker. Just make absolutely sure you are downloading something you are licensed to use, because it seems really easy to accidentally infringe copyright via this method.

It's an open source project. https://github.com/containers/podman and https://podman.io - go there, get engaged, see what's going on and most important become part of the community and contribute!