30 open-source projects similar to projectatomic/bubblewrap, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Bubblewrap alternative.
Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi
Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access. The project provides comprehensive process isolation by giving each sandbox its own private tmpfs root with selective bind-mounts, a separate network stack containing only a loopback interface, an independent process ID space, and remapped user and group identifiers. It applies secc
Isolate is a low-level sandbox designed to execute untrusted programs within a strictly controlled environment. It functions as a process isolation engine that prevents potentially harmful code from interacting with or damaging the host operating system. The tool leverages Linux kernel primitives, including namespaces and control groups, to partition system resources and enforce hardware usage boundaries. By applying filesystem virtualization and system call filtering, it restricts the visibility and interaction of a process with the host, ensuring that untrusted applications operate only wit
Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open Container Initiative specifications. It serves as an execution engine that can function as a rootless container manager or a pluggable Kubernetes CRI runtime to manage pods and containers within a cluster. The project distinguishes itself by providing a Wasm container runtime capable of executing WebAssembly modules as isolated workloads compatible with standard orchestration tools. It further supports a rootless execution model, allowing isolated environments to start as non-
Flatpak is a sandboxed application framework and standardized packaging format for Linux desktop applications. It functions as a distribution system that allows a single application bundle to run consistently across multiple Linux operating systems without requiring per-distribution builds. The project provides a runtime dependency manager that bundles specific library versions or shared runtimes to create predictable execution environments. It includes a sandbox permission manager to control application access to system hardware and resources, ensuring security and consistent behavior betwee
x11docker is an OCI container GUI orchestrator and hardware bridge designed to execute graphical applications and full desktop environments inside containers. It functions as a Linux GUI sandbox, linking containerized processes to host X11 or Wayland display servers and audio systems. The project differentiates itself by providing deep system integration for hardware acceleration, including NVIDIA driver automation and GPU passthrough. It supports cross-architecture GUI emulation and provides remote access capabilities through VNC, SSH forwarding, and browser-based HTML5 rendering. The tool
LXC is an OS-level virtualization framework and Linux container manager used to run multiple isolated Linux systems on a single host. It functions as a kernel namespace orchestrator and unprivileged container runtime, allowing for the creation and management of system containers without the overhead of a hypervisor. The project provides unprivileged container execution by mapping container root users to unprivileged host users to prevent host system access. It ensures security through system call filtering and root user isolation, enabling containers to run without requiring host root privile
This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an indepen
crun is a low-level container runtime that implements the Open Container Initiative specification for managing the lifecycle of isolated processes. It provides the core mechanisms for container creation, execution, and deletion, ensuring compatibility across platforms through standardized lifecycle management. The project distinguishes itself by offering a shared C library that allows container runtime operations to be embedded directly into other compiled applications. It further extends execution capabilities through specialized handlers that enable the deployment of containers within isola
Dify-sandbox is a secure runtime environment designed for the execution of untrusted code snippets. It functions as a containerized sandbox that isolates processes from the host operating system, ensuring that arbitrary scripts can be run without granting them unauthorized access to sensitive data or critical system resources. The project distinguishes itself through a multi-layered security approach that combines kernel-level isolation with strict resource management. By utilizing Linux namespaces and container-based process isolation, it partitions system resources to maintain visibility bo
Chromium is an open-source browser platform that provides the foundational codebase for building cross-platform web browsers. At its core, it functions as a web browser engine that interprets standard web technologies to render interactive content and manage the complex lifecycle of web page navigation. The project utilizes a multi-process architecture that separates the browser interface from rendering engines into distinct operating system processes. This design ensures application stability by preventing a single tab crash from affecting the entire browser. Security is maintained through s
Incus is a unified orchestration platform for managing system containers, OCI application containers, and virtual machines through a single control plane. It brings together cluster infrastructure management, secure multi-tenancy, software-defined networking, and pluggable storage backend orchestration into one cohesive system exposed via a full REST API and command-line interface. What distinguishes Incus is its ability to run multiple instance types side by side—full Linux system containers, OCI application containers, and QEMU virtual machines—all managed with consistent tooling. Networkin
This project is an OS-level process sandbox and cross-platform security wrapper for Linux and macOS. It is designed to isolate arbitrary processes from the host machine by restricting filesystem and network access without the use of full containerization. The system functions as a system-call interceptor and access controller, blocking unauthorized operating system calls based on predefined security policies. It employs allowlists and denylists to manage resource requests and monitors for security violations in real time. Capability areas include filesystem access management using glob-patte
Sandstorm is an open-source platform that packages and runs web applications in security-hardened sandboxes on a personal server, functioning as a self-hosted web app operating system. It provides a curated app store where users discover and install sandboxed web applications with one-click ease, while each application runs in an isolated container that uses Linux kernel security features to separate it from the host and other apps. The platform includes a centralized authentication layer so users sign in once and gain access to all installed applications without managing separate accounts per
Toolbox is a development workspace orchestrator and container environment manager that bootstraps mutable toolsets and SDKs inside containers. It functions as a Linux distribution sandbox and a host-integrated container runtime, allowing users to run native package managers and software without modifying the host operating system. The project differentiates itself by bridging isolated containers with the host system through the mapping of user identities, network sockets, and home directories. It utilizes a daemonless engine to provide these environments while ensuring that system configurati
Daytona is a cloud-native development environment platform designed to orchestrate ephemeral, containerized workspaces. It provides a centralized system for managing reproducible coding environments as code, ensuring consistency across distributed teams by abstracting the underlying infrastructure. By utilizing declarative configuration, the platform automates the entire lifecycle of development sandboxes, from initial provisioning to resource governance. The platform distinguishes itself through its infrastructure-agnostic runner layer, which allows development environments to be deployed ac
E2B is a cloud-based infrastructure platform designed to provide secure, isolated execution environments for code and shell commands. It functions as an ephemeral orchestrator that provisions lightweight virtual machines, allowing developers and autonomous agents to run untrusted processes within a sandbox that is completely separated from the host system. The platform distinguishes itself through its focus on programmable, serverless workspaces that support the full lifecycle of cloud-based development. By utilizing hardware-level isolation and snapshot-based resumption, it enables the near-
This project is a comprehensive collection of tutorials and guided laboratories designed to teach containerization, networking, and security using Docker. It serves as a learning path for building portable images and executing isolated processes. The materials provide specific guides for managing container clusters and scaling services through Docker Swarm and overlay networks. It includes a security handbook for implementing image scanning and secret management, as well as laboratories dedicated to modernizing legacy applications by wrapping older software installers into containers. The co
rusty_v8 is a Rust wrapper for the V8 JavaScript engine that allows for the embedding of a JavaScript runtime into native applications. It provides core components for managing engine bindings, memory allocation, sandboxed isolates, and the execution of WebAssembly modules. The project features a native host function bridge to map Rust functions to JavaScript objects and a dedicated memory allocator to manage thread-safe allocation and heap pressure. It includes a system for compiling and executing binary WebAssembly modules within the hosted native environment. The runtime covers capabiliti
Pandas AI is a data analysis library and natural language interface that uses large language models to perform conversational querying on structured datasets. It functions as a retrieval-augmented generation framework designed to translate plain text questions into executable code for extracting insights from dataframes and structured files. The system includes a dedicated sandbox execution environment that runs AI-generated analysis code within an isolated container to prevent security risks and system compromise. It employs a natural language translation layer and contextual retrieval to ma
CodeWhale is an AI coding agent orchestrator and development harness designed to coordinate autonomous agents that read, edit, and verify code. It provides a secure environment for AI agents to perform multi-step software engineering tasks, utilizing a sandboxed execution model to isolate shell commands and protect the host system. The system distinguishes itself by spawning multiple independent agents in parallel to handle separate investigation or implementation slices simultaneously. It employs a multi-model gateway to route requests across various cloud APIs and local servers, and utilize
Docker CE is an OCI compliant container platform and runtime engine used for building and running applications within isolated environments. It functions as a Linux container orchestrator and provides a command-line interface to manage the entire lifecycle of running application instances. The platform enables containerized application deployment and cross-platform software distribution by packaging software with its dependencies. It supports microservices architecture management and the creation of reproducible local development environments. The system includes capabilities for application
img is a collection of toolsets for building, managing, and manipulating OCI compliant container images. It functions as an image build tool and registry client, providing the capabilities to create images from configuration files, push and pull images to remote registries, and extract image layers into root filesystems or archives. The project distinguishes itself through support for multi-platform builds using hardware emulators and the ability to perform unprivileged container builds via namespace-based process isolation and user ID mapping. It also includes a cross-platform binary compile
Open-SWE is an asynchronous software engineering agent and orchestrator designed to automate end-to-end coding tasks and pull request reviews. It functions as a middleware framework that coordinates long-running AI operations across multiple subagents, utilizing state persistence and human-in-the-loop oversight to manage complex workflows. The system is distinguished by its use of isolated remote Linux sandboxes for secure code execution and shell command processing. It features a webhook-driven integration platform that triggers automated engineering tasks via mentions and events in GitHub,
LiveContainer is an iOS app container manager that runs applications in isolated sandboxes with separate data, keychain, and vendor identifiers, bypassing Apple's free developer account installation limits. It uses Just-In-Time compilation to launch unsigned apps without a developer certificate, and supports running multiple instances and versions of the same app simultaneously. The tool also injects custom dynamic libraries and framework tweaks at launch, applied globally or per application. Beyond basic containerization, LiveContainer provides advanced multitasking with resizable virtual or
CRIU is a Linux process checkpointing tool and state manager used to freeze running applications and save their memory and state to disk for later restoration. It functions as a container migration engine and an OCI checkpoint image converter, allowing the live state of running containers to be transferred between different hosts. The project distinguishes itself through its ability to persist network connectivity, acting as a TCP connection state persister that saves and reconstructs network socket states to maintain active communication after a restart. It further enables the distribution o
Try is a tool for managing ephemeral shell environments and running commands within an isolated sandbox. It utilizes OverlayFS and Linux namespaces to prevent processes from altering the live system, acting as both a command sandbox and a filesystem change auditor. The project allows users to capture file modifications in a temporary layer and inspect those changes before deciding to apply or dispose of them. It supports a workflow of auditing additions and modifications, then merging verified changes back into the host filesystem. The tool provides capabilities for interactive sandbox shell
Apache Mesos is a distributed systems kernel and cluster resource manager that abstracts CPU, memory, and storage across a pool of nodes. It functions as a distributed infrastructure orchestrator, providing a layer to run multiple orchestration frameworks on a shared set of physical or virtual machines. The system acts as a resource isolation engine, dividing a shared cluster into isolated containers to run diverse workloads concurrently. It enables multi-framework orchestration, allowing different distributed application frameworks to share a single infrastructure to maximize hardware utiliz
Youki is an OCI container runtime written in Rust. It implements the Open Container Initiative runtime specification to manage the lifecycle of containerized processes and ensure compatibility with standard container images and engines. The runtime is designed for memory safety and supports rootless container execution, allowing containers to run as non-root users to reduce security risks and limit privilege escalation. It provides core container management capabilities, including spawning and managing OCI containers. This is achieved through Linux namespace isolation, cgroup-based resource
This is an open-source, crowd-sourced wiki textbook that teaches Linux system programming in C. It covers the core operating system concepts of process management through the fork-exec-wait model, dynamic memory allocation using implicit free list heap allocators, inode-based file systems, inter-process communication via pipes and shared memory, POSIX threads with synchronization primitives, signal-based asynchronous notification, virtual memory with page table translation, and runtime diagnostics using Valgrind and GDB. The textbook distinguishes itself by providing practical, implementation