- restrict scope of file system access
- run any application without root privileges
- creates usable “Desktop applications” to integrate into your normal workflow
- cut network access for applications that work with confidential stuff to prevent accidental leakage
- set MEM and CPU boundaries for your applications (disclaimer: cpu limits not implemented yet)
- easy rollback with version pinning
- works on wayland
capps.py [-h] [-a app1 app2 ... [app1 app2 ... ...]] [-c /path/to/config.yaml] [-b] [-r] [-i] [-v] [-s] [-d] [-l]
Start podman container apps.
options:
-h, --help show this help message and exit
-a app1 app2 ... [app1 app2 ... ...], --application-list app1 app2 ... [app1 app2 ... ...]
List of applications to run as defined in config file
-c /path/to/config.yaml, --config /path/to/config.yaml
Path to config file (defaults to config.yaml)
-b, --build (re)build list of provided apps
-r, --run run containers of all provided apps (default)
-i, --install install as desktop application
-v, --verbose enable verbose log output
-s, --stats enable stats output
-d, --debug enable debug log output
-l, --list print available container
podman run --rm -d --hostname firefox
--name firefox-$RANDOM
--cap-drop=ALL
--read-only=true
--read-only-tmpfs=false
--systemd=false
--userns=keep-id
--security-opt=no-new-privileges
--memory=2048mb
--cap-add cap_sys_chroot
--volume $HOME/Downloads/:/home/firefox/Downloads:rw
--volume /run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro
--volume $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro
localhost/firefox
default_permissions: &default_permissions
cap-drop: ALL
read-only: true
read-only-tmpfs: true
systemd: false
userns: keep-id
security-opt: "no-new-privileges"
volumes:
- &sound "/run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro"
- &wayland "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro"
- &x11 /tmp/.X11-unix:/tmp/.X11-unix:ro
container:
firefox:
versioncmd: "firefox --version | awk "'"{print \$3}"'""
repo: "localhost"
file: "firefox.dockerf