[photonthug]

> Are "Random shell scripts from the internet" categorically worse than "random docker images from the internet"?

Yes, because inspection aside, at least with a docker invocation you can specify the volumes

[nopurpose]

https://github.com/containers/bubblewrap allows specifying volumes for scripts too

[bayindirh]

Docker is just a glorified cgroup plus wrappers. You can isolate any process like that, even a shell script.

chrooting the unknown script is being 90% there.

[zdw]

Does anyone in practical invocation specify the volumes?

Or would they wrap it in yet another shell script that calls docker with a set of options, or a compose file, etc?

This quickly turns into complexity stacked on complexity...

[msm_]

Yes I run:

sudo docker run -it -v (pwd):(pwd) my_dev_image

many times every day, to create a development enviromnent in CWD. My_dev_image is a debian-based image with common developer utilities (pip, npm, common packages installed). I don't feel comfortable installing random packages from the internet on my host machine, so I use docker for everything.

[yjftsjthsd-h]

> Does anyone in practical invocation specify the volumes?

First: yes, I have run docker with -v recently.

Second:

> Or would they wrap it in yet another shell script that calls docker with a set of options, or a compose file, etc?

> This quickly turns into complexity stacked on complexity...

I agree that it can get out of hand, but a Dockerfile, a compose file, and whatever is going inside the container can be an entirely reasonable set of files to have so long as you stick with that and are reasonable about what goes in each. Where to put it differently, I think it's okay because they actually are separation of concerns.