Hacker News new | ask | show | jobs
by moody5bundle 1551 days ago
I am actually running a few of my daily applications, such as firefox, vscode, or spotify inside a podman container (rootless makes me feel a little safer). I build a small python script around it, which creates a desktop icon, tags the current version (so you can rollback), and updates the images after x amount of time. I'll clean it up and put it on github if someone is interested :)
3 comments
bogwog 1551 days ago
Isn’t this what Flatpaks are for? Idk if they use podman, but they do use similar sandboxing features.

Having a full blown container like this can be useful in some scenarios, but I think it’s overkill for general purpose apps.

link
moody5bundle 1551 days ago
i think they use bwrap as mentioned in a comment below. my use case is to restrict network access for example. Or running multiple firefox instances in parallel (so they dont have the same parent process / cookies etc.). or restrict memory for to 2G per container. there were just a few things i wanted to do that didn't quiet work with flatpak or snap.
link
ntietz 1551 days ago
Please do share! I would be interested in seeing it and doing something similar (and use podman for the same reason).
link
moody5bundle 1551 days ago
I will! cleaning up now and going to publish it later on github. The main idea was a least privilege approach to running simple desktop applications independent from the host OS and being able to control filesystem/network access on a per app basis. (spotify on fedora without flatpak or rpm-fusion repo's, not even sudo needed to install)
link
zozbot234 1551 days ago
No real need for full Flatpak, Bubblewrap (bwrap) is intended to be a lightweight sandbox providing this out of the box, with Flatpak (and other stuff besides) building upon it. The Arch wiki has a nice introductory page: https://wiki.archlinux.org/title/Bubblewrap
link
moody5bundle 1551 days ago
Oh didn't know about bwrap yet! If i understand the wiki page correctly, you still need to get those binaries to your pc. So thats why i went with plain and simple dockerfiles.
link
moody5bundle 1551 days ago
here you go: https://github.com/mody5bundle/capps please feel free to open issues and pull requests :)
link
traverseda 1551 days ago
Firejail is really nice...
link