{"id":2954,"date":"2026-04-25T10:38:13","date_gmt":"2026-04-25T10:38:13","guid":{"rendered":"https:\/\/aiopsschool.com\/blog\/?p=2954"},"modified":"2026-04-25T10:38:13","modified_gmt":"2026-04-25T10:38:13","slug":"codex-is-using-bubblewrap-bwrap-for-coding-isolation-a-complete-guide","status":"publish","type":"post","link":"https:\/\/aiopsschool.com\/blog\/codex-is-using-bubblewrap-bwrap-for-coding-isolation-a-complete-guide\/","title":{"rendered":"Codex is using Bubblewrap (bwrap) for Coding Isolation &#8211; A Complete Guide"},"content":{"rendered":"\n<p>Here is a <strong>complete end-to-end tutorial blog<\/strong> on <strong>Bubblewrap (bwrap)<\/strong> designed for engineers, DevOps users, and security-focused developers (which fits well with your DevOps\/EKS\/Terraform background where sandboxing tools like this matter).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Bubblewrap (bwrap) Complete Guide<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">End-to-End Tutorial for Secure Linux Sandboxing<\/h2>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">1. What is Bubblewrap (bwrap)?<\/h1>\n\n\n\n<p><strong>Bubblewrap (bwrap)<\/strong> is a lightweight Linux sandboxing tool used to create <strong>isolated environments<\/strong> for running applications securely.<\/p>\n\n\n\n<p>It is widely used in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Container runtimes<\/li>\n\n\n\n<li>Sandboxing tools<\/li>\n\n\n\n<li>Desktop security frameworks<\/li>\n\n\n\n<li>Flatpak<\/li>\n\n\n\n<li>Developer tools (including modern AI tools like Codex)<\/li>\n<\/ul>\n\n\n\n<p><strong>Official concept:<\/strong><br>Bubblewrap creates <strong>restricted containers<\/strong> using Linux kernel features like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Namespaces<\/li>\n\n\n\n<li>Mount isolation<\/li>\n\n\n\n<li>User isolation<\/li>\n\n\n\n<li>Process isolation<\/li>\n<\/ul>\n\n\n\n<p>Without requiring full Docker or Kubernetes.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Why Bubblewrap Matters Today<\/h1>\n\n\n\n<p>Modern developer tools execute:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Code<\/li>\n\n\n\n<li>Scripts<\/li>\n\n\n\n<li>Build steps<\/li>\n\n\n\n<li>Package installs<\/li>\n<\/ul>\n\n\n\n<p>Without sandboxing, this is dangerous.<\/p>\n\n\n\n<p>Bubblewrap protects your system from:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Malicious scripts<\/li>\n\n\n\n<li>Broken builds<\/li>\n\n\n\n<li>Unsafe dependencies<\/li>\n\n\n\n<li>Accidental file deletion<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">2. How Bubblewrap Works<\/h1>\n\n\n\n<p>Bubblewrap uses Linux kernel features called:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Namespaces<\/li>\n\n\n\n<li>Mount points<\/li>\n\n\n\n<li>File isolation<\/li>\n<\/ul>\n\n\n\n<p>Instead of creating full containers, it:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Creates a <strong>new namespace<\/strong><\/li>\n\n\n\n<li>Mounts a minimal filesystem<\/li>\n\n\n\n<li>Allows only selected files<\/li>\n\n\n\n<li>Runs the target program<\/li>\n\n\n\n<li>Destroys environment after execution<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Bubblewrap Architecture Flow<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>flowchart LR\n    User --&gt; bwrap\n    bwrap --&gt; Namespace\n    Namespace --&gt; MountFS\n    MountFS --&gt; RunProgram\n    RunProgram --&gt; IsolatedExecution\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">3. Key Features of Bubblewrap<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Lightweight<\/h2>\n\n\n\n<p>No full container runtime required.<\/p>\n\n\n\n<p>No daemon.<\/p>\n\n\n\n<p>No heavy overhead.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Secure Isolation<\/h2>\n\n\n\n<p>Supports:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User isolation<\/li>\n\n\n\n<li>File system isolation<\/li>\n\n\n\n<li>Process isolation<\/li>\n\n\n\n<li>Network restrictions<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Flexible Mounting<\/h2>\n\n\n\n<p>You decide:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What files exist<\/li>\n\n\n\n<li>What directories are accessible<\/li>\n\n\n\n<li>What is read-only<\/li>\n\n\n\n<li>What is writable<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">No Root Required (Optional)<\/h2>\n\n\n\n<p>Bubblewrap supports:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Root execution<\/li>\n\n\n\n<li>Rootless containers<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">4. Where Bubblewrap is Used<\/h1>\n\n\n\n<p>Bubblewrap is widely used in:<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Flatpak<\/h2>\n\n\n\n<p>Desktop apps use Bubblewrap to isolate applications.<\/p>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>flatpak run org.mozilla.firefox\n<\/code><\/pre>\n\n\n\n<p>Runs Firefox inside sandbox.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Developer Tools<\/h2>\n\n\n\n<p>Used by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AI code runners<\/li>\n\n\n\n<li>Secure build tools<\/li>\n\n\n\n<li>Test runners<\/li>\n\n\n\n<li>CI systems<\/li>\n<\/ul>\n\n\n\n<p>Including tools like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Codex CLI<\/li>\n\n\n\n<li>Build sandboxes<\/li>\n\n\n\n<li>Packaging tools<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Security Sandboxes<\/h2>\n\n\n\n<p>Used in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Desktop Linux<\/li>\n\n\n\n<li>Secure browsing<\/li>\n\n\n\n<li>Restricted environments<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">5. Installing Bubblewrap<\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Install on macOS<\/h1>\n\n\n\n<p>Using Homebrew:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>brew install bubblewrap\n<\/code><\/pre>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap --version\n<\/code><\/pre>\n\n\n\n<p>Expected output:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bubblewrap 0.x.x\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Install on Ubuntu \/ Debian<\/h1>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt update\nsudo apt install bubblewrap\n<\/code><\/pre>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap --version\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Install on RedHat \/ CentOS<\/h1>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dnf install bubblewrap\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Install on Amazon Linux<\/h1>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo yum install bubblewrap\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Install from Source (Advanced)<\/h1>\n\n\n\n<pre class=\"wp-block-code\"><code>git clone https:\/\/github.com\/containers\/bubblewrap\ncd bubblewrap\n\n.\/autogen.sh\n.\/configure\nmake\nsudo make install\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">6. Understanding Core Bubblewrap Concepts<\/h1>\n\n\n\n<p>Before running commands, understand these core ideas.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Namespace<\/h1>\n\n\n\n<p>A namespace isolates:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Processes<\/li>\n\n\n\n<li>Files<\/li>\n\n\n\n<li>Users<\/li>\n\n\n\n<li>Network<\/li>\n<\/ul>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>--unshare-pid\n--unshare-net\n--unshare-user\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Mount Binding<\/h1>\n\n\n\n<p>Allows mapping directories.<\/p>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>--bind \/home\/user \/home\/user\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Read-Only Mount<\/h1>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>--ro-bind \/usr \/usr\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Temporary Filesystem<\/h1>\n\n\n\n<p>Creates fresh empty directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>--tmpfs \/tmp\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">7. Basic Bubblewrap Command<\/h1>\n\n\n\n<p>Minimal working example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap \\\n  --ro-bind \/usr \/usr \\\n  --ro-bind \/bin \/bin \\\n  --dir \/tmp \\\n  --proc \/proc \\\n  \/bin\/sh\n<\/code><\/pre>\n\n\n\n<p>This:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creates isolated shell<\/li>\n\n\n\n<li>Mounts minimal filesystem<\/li>\n\n\n\n<li>Runs shell securely<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">What Happens Here?<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Step<\/th><th>Action<\/th><\/tr><\/thead><tbody><tr><td>1<\/td><td>Creates namespace<\/td><\/tr><tr><td>2<\/td><td>Mounts \/usr<\/td><\/tr><tr><td>3<\/td><td>Mounts \/bin<\/td><\/tr><tr><td>4<\/td><td>Creates \/tmp<\/td><\/tr><tr><td>5<\/td><td>Starts shell<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">8. Running Commands Inside Sandbox<\/h1>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap \\\n  --ro-bind \/usr \/usr \\\n  --ro-bind \/bin \/bin \\\n  --dir \/tmp \\\n  --proc \/proc \\\n  \/bin\/ls \/\n<\/code><\/pre>\n\n\n\n<p>Runs:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls \/\n<\/code><\/pre>\n\n\n\n<p>Inside sandbox.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">9. Creating an Isolated Shell<\/h1>\n\n\n\n<p>Most common test scenario:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap \\\n  --ro-bind \/usr \/usr \\\n  --ro-bind \/bin \/bin \\\n  --ro-bind \/lib \/lib \\\n  --ro-bind \/lib64 \/lib64 \\\n  --dir \/tmp \\\n  --proc \/proc \\\n  \/bin\/bash\n<\/code><\/pre>\n\n\n\n<p>Now you&#8217;re inside sandbox.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Check isolation:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls \/\n<\/code><\/pre>\n\n\n\n<p>You&#8217;ll see minimal filesystem.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">10. Using Read-Only Root Filesystem<\/h1>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap \\\n  --ro-bind \/ \/ \\\n  --tmpfs \/tmp \\\n  --proc \/proc \\\n  \/bin\/bash\n<\/code><\/pre>\n\n\n\n<p>This makes:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Root filesystem read-only\n<\/code><\/pre>\n\n\n\n<p>Safer execution.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">11. Restricting File Access<\/h1>\n\n\n\n<p>Allow only specific folder.<\/p>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap \\\n  --ro-bind \/usr \/usr \\\n  --bind ~\/project \/app \\\n  --dir \/tmp \\\n  \/bin\/bash\n<\/code><\/pre>\n\n\n\n<p>Inside sandbox:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/app\n<\/code><\/pre>\n\n\n\n<p>Contains project files.<\/p>\n\n\n\n<p>Nothing else.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">12. Creating Temporary Writable Directories<\/h1>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>--tmpfs \/tmp\n<\/code><\/pre>\n\n\n\n<p>Creates:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Temporary memory filesystem\n<\/code><\/pre>\n\n\n\n<p>Deleted automatically.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">13. Running Applications in Sandbox<\/h1>\n\n\n\n<p>Example:<\/p>\n\n\n\n<p>Run Python:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap \\\n  --ro-bind \/usr \/usr \\\n  --ro-bind \/lib \/lib \\\n  --ro-bind \/lib64 \/lib64 \\\n  --proc \/proc \\\n  --tmpfs \/tmp \\\n  python3 script.py\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">14. Network Isolation<\/h1>\n\n\n\n<p>Disable network:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>--unshare-net\n<\/code><\/pre>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap \\\n  --unshare-net \\\n  --ro-bind \/usr \/usr \\\n  --proc \/proc \\\n  \/bin\/bash\n<\/code><\/pre>\n\n\n\n<p>Now:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ping google.com\n<\/code><\/pre>\n\n\n\n<p>Fails.<\/p>\n\n\n\n<p>Network blocked.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">15. User Namespace Isolation<\/h1>\n\n\n\n<p>Run as fake root:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>--unshare-user\n<\/code><\/pre>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap \\\n  --unshare-user \\\n  --uid 0 \\\n  --gid 0 \\\n  \/bin\/bash\n<\/code><\/pre>\n\n\n\n<p>Inside sandbox:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>whoami\n<\/code><\/pre>\n\n\n\n<p>Returns:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root\n<\/code><\/pre>\n\n\n\n<p>But not real root.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">16. Running Build Tools Safely<\/h1>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap \\\n  --bind ~\/project \/project \\\n  --ro-bind \/usr \/usr \\\n  --proc \/proc \\\n  --tmpfs \/tmp \\\n  make\n<\/code><\/pre>\n\n\n\n<p>Good for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CI builds<\/li>\n\n\n\n<li>Package testing<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">17. Bubblewrap vs Docker<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Feature<\/th><th>Bubblewrap<\/th><th>Docker<\/th><\/tr><\/thead><tbody><tr><td>Lightweight<\/td><td>Yes<\/td><td>No<\/td><\/tr><tr><td>Daemon<\/td><td>No<\/td><td>Yes<\/td><\/tr><tr><td>Full container<\/td><td>No<\/td><td>Yes<\/td><\/tr><tr><td>Startup speed<\/td><td>Fast<\/td><td>Medium<\/td><\/tr><tr><td>Isolation<\/td><td>Good<\/td><td>Strong<\/td><\/tr><tr><td>Use case<\/td><td>Sandbox<\/td><td>Container runtime<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">18. Bubblewrap vs chroot<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Feature<\/th><th>Bubblewrap<\/th><th>chroot<\/th><\/tr><\/thead><tbody><tr><td>Security<\/td><td>Strong<\/td><td>Weak<\/td><\/tr><tr><td>Namespace support<\/td><td>Yes<\/td><td>No<\/td><\/tr><tr><td>Process isolation<\/td><td>Yes<\/td><td>No<\/td><\/tr><tr><td>Modern usage<\/td><td>Yes<\/td><td>Legacy<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">19. Real-World Use Cases<\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Secure Code Execution<\/h2>\n\n\n\n<p>Used by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Online code runners<\/li>\n\n\n\n<li>AI code tools<\/li>\n\n\n\n<li>Build systems<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">CI\/CD Isolation<\/h2>\n\n\n\n<p>Example pipeline:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GitHub Actions \u2192 bwrap \u2192 build \u2192 destroy\n<\/code><\/pre>\n\n\n\n<p>Prevents system pollution.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Malware Analysis<\/h2>\n\n\n\n<p>Run suspicious binaries safely.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Developer Testing<\/h2>\n\n\n\n<p>Run untrusted packages.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">20. Troubleshooting Bubblewrap<\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Problem: bwrap not found<\/h2>\n\n\n\n<p>Fix:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>brew install bubblewrap\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Problem: Permission denied<\/h2>\n\n\n\n<p>Fix:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo sysctl kernel.unprivileged_userns_clone=1\n<\/code><\/pre>\n\n\n\n<p>(Ubuntu)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Problem: Cannot create namespace<\/h2>\n\n\n\n<p>Install:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install uidmap\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">21. Security Best Practices<\/h1>\n\n\n\n<p>Always:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use read-only mounts<\/li>\n\n\n\n<li>Restrict writable directories<\/li>\n\n\n\n<li>Disable network if unnecessary<\/li>\n\n\n\n<li>Avoid exposing root filesystem<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Good pattern:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>--ro-bind \/usr \/usr\n--tmpfs \/tmp\n--unshare-net\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">22. Performance Considerations<\/h1>\n\n\n\n<p>Bubblewrap is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Very fast startup<\/li>\n\n\n\n<li>Minimal overhead<\/li>\n\n\n\n<li>Faster than Docker for small tasks<\/li>\n<\/ul>\n\n\n\n<p>Ideal for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CLI tools<\/li>\n\n\n\n<li>Script execution<\/li>\n\n\n\n<li>Test environments<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">23. Advanced Example \u2014 Minimal Container<\/h1>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bwrap \\\n  --unshare-all \\\n  --ro-bind \/usr \/usr \\\n  --ro-bind \/bin \/bin \\\n  --ro-bind \/lib \/lib \\\n  --ro-bind \/lib64 \/lib64 \\\n  --proc \/proc \\\n  --tmpfs \/tmp \\\n  \/bin\/bash\n<\/code><\/pre>\n\n\n\n<p>Creates:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Tiny container-like environment\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">24. Integration with DevOps Workflows<\/h1>\n\n\n\n<p>Useful for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Terraform testing<\/li>\n\n\n\n<li>Kubernetes scripts<\/li>\n\n\n\n<li>CI runners<\/li>\n\n\n\n<li>Secure build pipelines<\/li>\n<\/ul>\n\n\n\n<p>Given your background in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>EKS<\/li>\n\n\n\n<li>Terraform<\/li>\n\n\n\n<li>CI\/CD<\/li>\n<\/ul>\n\n\n\n<p>Bubblewrap is especially useful for:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>safe script execution\nIaC testing\nsandboxing builds\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">25. Example \u2014 Safe Script Runner<\/h1>\n\n\n\n<p>Create:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>safe-run.sh\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/bash\n\nbwrap \\\n  --ro-bind \/usr \/usr \\\n  --bind \"$PWD\" \/app \\\n  --tmpfs \/tmp \\\n  --proc \/proc \\\n  \/bin\/bash \/app\/script.sh\n<\/code><\/pre>\n\n\n\n<p>Run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod +x safe-run.sh\n.\/safe-run.sh\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">26. Future of Bubblewrap<\/h1>\n\n\n\n<p>Bubblewrap continues to grow because:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Lightweight security is needed<\/li>\n\n\n\n<li>Containers are heavy for small tasks<\/li>\n\n\n\n<li>Developer tooling requires sandboxing<\/li>\n<\/ul>\n\n\n\n<p>Used increasingly in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Desktop Linux<\/li>\n\n\n\n<li>DevOps tooling<\/li>\n\n\n\n<li>AI execution environments<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Final Summary<\/h1>\n\n\n\n<p>Bubblewrap is:<\/p>\n\n\n\n<p>\u2714 Lightweight<br>\u2714 Secure<br>\u2714 Fast<br>\u2714 Easy to integrate<br>\u2714 Used in modern developer tooling<\/p>\n\n\n\n<p>Best suited for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Developers<\/li>\n\n\n\n<li>DevOps engineers<\/li>\n\n\n\n<li>Security engineers<\/li>\n\n\n\n<li>CI\/CD pipelines<\/li>\n\n\n\n<li>AI code execution tools<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">If you&#8217;re using Codex (like your earlier message)<\/h1>\n\n\n\n<p>Bubblewrap is exactly what:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Codex uses internally to sandbox code\n<\/code><\/pre>\n\n\n\n<p>So installing and understanding it is <strong>very valuable<\/strong> for your workflow.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">If you&#8217;d like next-level labs<\/h1>\n\n\n\n<p>I can create:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hands-on <strong>Bubblewrap lab exercises<\/strong><\/li>\n\n\n\n<li>CI\/CD sandbox demo<\/li>\n\n\n\n<li>Kubernetes sandbox integration<\/li>\n\n\n\n<li>DevOps security lab using bwrap<\/li>\n<\/ul>\n\n\n\n<p>Just say:<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here is a complete end-to-end tutorial blog on Bubblewrap (bwrap) designed for engineers, DevOps users, and security-focused developers (which fits [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2954","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/aiopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/2954","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aiopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aiopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aiopsschool.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/aiopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=2954"}],"version-history":[{"count":1,"href":"https:\/\/aiopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/2954\/revisions"}],"predecessor-version":[{"id":2955,"href":"https:\/\/aiopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/2954\/revisions\/2955"}],"wp:attachment":[{"href":"https:\/\/aiopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=2954"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aiopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=2954"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aiopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=2954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}