Skip to content

docketeer-bubblewrap

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

docketeer-bubblewrap

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
src/docketeer_bubblewrap
src/docketeer_bubblewrap
 
 
tests
tests
 
 
AGENTS.md
AGENTS.md
 
 
CLAUDE.md
CLAUDE.md
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

README.md

docketeer-bubblewrap

Sandboxed command execution for Docketeer using bubblewrap (bwrap).

This plugin provides a CommandExecutor implementation that runs external programs inside a lightweight Linux sandbox using unprivileged user namespaces. Each process gets its own PID, UTS, IPC, and cgroup namespaces, and network access is denied by default. The --die-with-parent flag ensures sandboxed processes are cleaned up if the parent exits.

Requirements

  • Linux with unprivileged user namespaces enabled
  • bwrap on PATH (install via your distro's bubblewrap package)

How it works

The executor builds a minimal filesystem view inside the sandbox:

  • Read-only binds for system directories (/usr, /bin, /lib, /etc/ssl, etc.)
  • /proc, /dev, and a tmpfs /tmp
  • User-specified mounts (read-only or writable)
  • Optional network access via --share-net