Sign up
Scientific / Fiction / Tech

Uncover HN: GUI Capabilities in Podman on Wayland

restrict scope of file system access run any application without root privileges creates usable “Desktop applications” to integrate into your normal workflow cut network access for applications that work with confidential stuff to prevent accidental leakage set MEM and CPU boundaries for your applications (disclaimer: cpu limits not implemented yet) easy rollback with version pinning…

Charlie Layers
Charlie Layers
1 year ago
59
Uncover HN: GUI Capabilities in Podman on Wayland
  • limit scope of file system win admission to
  • inch any utility with out root privileges
  • creates usable “Desktop applications” to combine into your unprecedented workflow
  • prick community win admission to for applications that work with confidential stuff to forestall accidental leakage
  • position MEM and CPU boundaries to your applications (disclaimer: cpu limits no longer conducted but)
  • easy rollback with model pinning
  • works on wayland

capps.py [-h] [-a app1 app2 ... [app1 app2 ... ...]] [-c /path/to/config.yaml] [-b] [-r] [-i] [-v] [-s] [-d] [-l]

Beginning podman container apps.

choices:
  -h, --again            show this again message and exit
  -a app1 app2 ... [app1 app2 ... ...], --utility-checklist app1 app2 ... [app1 app2 ... ...]
                        Checklist of applications to inch as defined in config file
  -c /path/to/config.yaml, --config /path/to/config.yaml
                        Course to config file (defaults to config.yaml)
  -b, --plot           (re)plot checklist of supplied apps
  -r, --inch             inch containers of all supplied apps (default)
  -i, --install         install as desktop utility
  -v, --verbose         enable verbose log output
  -s, --stats           enable stats output
  -d, --debug           enable debug log output
  -l, --checklist            print accessible container


podman inch --rm -d --hostname firefox 
--title firefox-$RANDOM 
--cap-fall=ALL 
--read-supreme=real 
--read-supreme-tmpfs=faux 
--systemd=faux 
--userns=own-identification 
--security-decide=no-new-privileges 
--memory=2048mb 
--cap-add cap_sys_chroot 
--quantity $HOME/Downloads/:/dwelling/firefox/Downloads:rw 
--quantity /inch/consumer/$UID/pulse/native:/inch/consumer/$UID/pulse/native:ro 
--quantity $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro 
localhost/firefox


default_permissions: &default_permissions
  cap-fall: ALL
  read-supreme: real
  read-supreme-tmpfs: real
  systemd: faux
  userns: own-identification
  security-decide: "no-new-privileges"
volumes:
  - &sound "/inch/consumer/$UID/pulse/native:/inch/consumer/$UID/pulse/native:ro"
  - &wayland "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro"
  - &x11 /tmp/.X11-unix:/tmp/.X11-unix:ro
container:
  firefox:
    versioncmd: "firefox --model | awk "'"{print \$3}"'""
    repo: "localhost"
    file: "firefox.dockerfile"
    path: "./container/firefox/"
    icon: "firefox.png"
    permissions:
      memory: 2048mb

Read More

Charlie Layers
WRITTEN BY

Charlie Layers

Fill your life with experiences so you always have a great story to tellBio: About: