Run containerized, rootless applications with podman

Overview

Why?

  • restrict scope of file system access
  • run any application without root privileges
  • creates usable "Desktop applications" to integrate into your normal workflow
  • cut network access for applications that work with confidential stuff to prevent accidental leakage
  • set MEM and CPU boundaries for your applications
  • easy rollback with version pinning
  • works on wayland

Installation:

Tested and verified:

  • Fedora 35
  • Ubuntu 21.10
  • Debian 11.3

Fedora 35

sudo dnf install python3-pip
pip install --user pyyaml
pip install --user jinja2
git clone https://github.com/mody5bundle/capps && cd capps/
checkmodule -M -m -o capps.mod capps.te
semodule_package -o capps.pp -m capps.mod
sudo semodule -i capps.pp
./capps.py -a firefox -d

Ubuntu 21.10

sudo apt install git python3 python3-pip podman
pip3 install jinja2
git clone https://github.com/mody5bundle/capps && cd capps/
./capps.py -a sandbox -d

Debian 11.3

sudo apt install git python3 python3-pip podman
pip3 install jinja2 pyyaml
git clone https://github.com/mody5bundle/capps && cd capps/
./capps.py -a spotify -d -s

Usage

capps.py [-h] [-a app1 app2 ... [app1 app2 ... ...]] [-c /path/to/config.yaml] [-b] [-r] [-i] [-v] [-s] [-d] [-l]

Start podman container apps.

options:
  -h, --help            show this help message and exit
  -a app1 app2 ... [app1 app2 ... ...], --application-list app1 app2 ... [app1 app2 ... ...]
                        List of applications to run as defined in config file
  -c /path/to/config.yaml, --config /path/to/config.yaml
                        Path to config file (defaults to config.yaml)
  -b, --build           (re)build list of provided apps
  -r, --run             run containers of all provided apps (default)
  -i, --install         install as desktop application
  -v, --verbose         enable verbose log output
  -s, --stats           enable stats output
  -d, --debug           enable debug log output
  -l, --list            print available container

Example container that gets Created

podman run --rm -d --hostname firefox \
--name firefox-$RANDOM \
--cap-drop=ALL \
--read-only=true \
--read-only-tmpfs=false \
--systemd=false \
--userns=keep-id \
--security-opt=no-new-privileges \
--memory=2048mb \
--cap-add cap_sys_chroot \
--volume $HOME/Downloads/:/home/firefox/Downloads:rw \
--volume /run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro \
--volume $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro \
localhost/firefox

Example config file for firefox

default_permissions: &default_permissions
  cap-drop: ALL
  read-only: true
  read-only-tmpfs: true
  systemd: false
  userns: keep-id
  security-opt: "no-new-privileges"
volumes:
  - &sound "/run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro"
  - &wayland "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro"
  - &x11 /tmp/.X11-unix:/tmp/.X11-unix:ro
container:
  firefox:
    versioncmd: "firefox --version | awk \"'\"{print \\$3}\"'\""
    repo: "localhost"
    file: "firefox.dockerfile"
    path: "./container/firefox/"
    icon: "firefox.png"
    permissions:
      memory: 2048mb
      <<: *default_permissions
      read-only-tmpfs: false
      cap-add:
        - "cap_sys_chroot"
      volume:
        - "$HOME/Downloads/:/home/firefox/Downloads:rw"
        - *sound
        - *wayland

list images

./capps.py -l
Available Containers in config:
firefox: 	Mem: 2048mb, 	Capabilities:  ['cap_sys_chroot'], 	cap-drop: ALL
Available images on host for firefox:
['localhost/firefox:latest', 'localhost/firefox:98.0']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1178 MB	 	3391 Minutes old.
['localhost/firefox:97.0.1']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1182 MB	 	26452 Minutes old.
['localhost/firefox:96.0']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1156 MB	 	96024 Minutes old.

get stats on started container

./capps.py -a firefox -s
NAME			MEM			  CPU	 READ/WRITE   PIDS
firefox-18685:	 232.1MB / 2.147GB / 10.81% 	 3.17% 	 -- / -- 57
firefox-18685:	 497.1MB / 2.147GB / 23.15% 	 2.24% 	 0B / 2.049MB 226

Selinux:

cat capps.te
checkmodule -M -m -o capps.mod capps.te
semodule_package -o capps.pp -m capps.mod
semodule -i capps.pp
rm -rf capps.{pp,mod}
You might also like...

A pure Tensorflow2.0 implementation of EfficientDet. Run on PascalVOC or your own datasets too!

A pure Tensorflow2.0 implementation of EfficientDet. Run on PascalVOC or your own datasets too!

Tensorflow2.0 EfficientDet A pure WORKING Tensorflow2.0 implementation of EfficientDet for object detection. There are too many non-working versions o

Jul 2, 2022

Run demo.py for detecting license area and recognizing the license chars

Run demo.py for detecting license area and recognizing the license chars

license plate detection and recognition environment pytorch 1.4.0 python 3.6 demo It is supported to infer a image or a set of images. Just run "demo.

Mar 28, 2022

This is Template of Django Project to Run or Deploy the Django Project In Services Like Replit, CodeSandbox, Heroku etc.,

django_template This is Template of Django Project Run or Deploy the Django Project In Services Like Replit, CodeSandbox, Heroku etc., This Repository

Apr 16, 2022

A pytest plugin to run an ansible collections' unit tests with pytest.

A pytest plugin to run an ansible collections' unit tests with pytest.

pytest-ansible-units A pytest plugin to run an ansible collection's unit tests with pytest. Description pytest-ansible-units is a pytest plugin that a

Apr 15, 2022

A Text User Interface (TUI) for Pytest, automatically launched after your test run is finished

A Text User Interface (TUI) for Pytest, automatically launched after your test run is finished

pytest-tui A Pytest plugin that auto-launches a Text User Interface (TUI) for viewing test run results Using PyTermTk: ...using Textual TUI: Introduct

Sep 21, 2022

A very simple email spam bot. Not much to it. Just make sure you have python installed when you run it and have fun!

Simple-Email-Spam-Bot A very simple email bot I made with python. Not much to it. Just make sure you have python installed when you run it and have fu

Jul 7, 2022

You can create sound from image files now. Imagine displaying an image from the forest with the actual forest sound in the background–Just adds to the drama. For this to run, have an image file and sound file (in .mp3 format) ready.

You can create sound from image files now. Imagine displaying an image from the forest with the actual forest sound in the background–Just adds to the drama. For this to run, have an image file and sound file (in .mp3 format) ready.

image-to-sound-python- Intro This repo will help you get started on how you can get started with Optical character recognition (OCR) and speech synthe

Apr 26, 2022

Optional service for the TubeArchivist project to export metrics for users who run prometheus/grafana

Tube Archivist Metrics Provide Tube Archivist metrics in Prometheus/OpenMetrics format This is an optional service as part of the Tube Archivist stack

Apr 15, 2022

A responsive package for bot command cooldowns, with this package you can create the command cooldowns which will not get reset whenever the bot re-run

Package Name: discord_cooldown A responsive package for Bot command cooldowns • With this package you can create the command cooldowns which will not

Nov 13, 2022
Comments
  • potential security problem

    potential security problem

    the python code uses string concatenation to build shell commands. this could lead to command injection attacks! as a rule of thumb shell=True should be avoided when interfering with the subprocess module. pass the command tokens as string array instead.

    opened by knrdl 4
  • Ubuntu 21.10 wrong pulse socket path

    Ubuntu 21.10 wrong pulse socket path

    when starting firefox on ubuntu: ./capps.py -a firefox Error: statfs /run/user/pulse/native: no such file or directory running the created command works and spawns a working firefox instance...

    bug 
    opened by mody5bundle 1
Owner
null
OCI hook to fix podman secrets dir bug

oci-fix-secrets-dir-hook This OCI hook is a workaround for a bug in podman that occurs when using the --secret option to mount a chosen secret in the

Amine B. Hassouna 2 Oct 6, 2022
Containerized command line application to download and preprocess daily PRISM climate fields into a single Zarr Store.

nastyprisms A simple containerized command-line application to download and process daily PRISM climate fields into a single Zarr Store. Example This

Brewster Malevich 1 Apr 13, 2022
Repository to host helper scripts and tools to launch Cisco XRd platform in containerized network environments.

XRd Tools This repository contains tools for working with XRd containers. Accompanying documentation is coming soon. See CHANGELOG.md for a record of

null 16 Nov 11, 2022
Designed a containerized pipeline to detect fake-face submissions using a CNN model including generation of fake datasets for machine learning in a Test Driven Development environment.

Designed a containerized pipeline to detect fake-face submissions using a CNN model including generation of fake datasets for machine learning in a Test Driven Development environment.

Ruchit Tandon 1 Sep 12, 2022
Simulating Acela run from Boston to WDC and local run of New London to Stamford CT. Using Python, Raspberry PI 4 to control Lego Trains and TrixBrix Hardware.

#Latest Update Version 0.1.1 Adding Speed and Motion Direction routines #Introduction This project simulates Acela (Boston to Washington, DC with stop

null 1 Apr 8, 2022
Run helmet detection on images in your browser. TensorFlow Object Detection used to run inference using SSD-MobileNet V2.

Helmet Detector Helmet detection using TensorFlow Object Detection SSD MobileNet V2 FPNLite to make inferences API exposed using Flask Live web app de

Sidharth 1 Apr 15, 2022
How to Run Python Code Interactively A widely used way to run Python code is through an interactive session

This is a very simple text-based game in python. It a small quiz which you can make for yourself as well or your friends. We do not need to import any modules for this game which makes it easier! Try it yourself ??

null 1 Jul 8, 2022
Lug lets you run Python functions paired with any Docker container. The packaged function and image can run locally or in the cloud.

Lug is an open source package that redirects Python calls to subprocess.run, subprocess.Popen, and os.system into any Docker container. This makes these system-level Python calls behave the same way on different machines, without requiring any changes to the Docker container.

Toolchest 14 Nov 3, 2022
Make logging easy in your applications! Use this simple library to easily use logs in any of your applications.

logEZ Make logging easy in your applications! Use this simple library to easily use logs in any of your applications. How to run from logEZ import MyL

ZackCodes.ai 3 Sep 27, 2022
Run Slowloris against multiple targets.

Manyloris ???? Run Slowloris against multiple targets. Slowloris is a type of denial of service attack tool which allows a single machine to take down

Mário Leitão-Teixeira 10 Oct 30, 2022