Run containerized, rootless applications with podman

Related tags

Deep Learningyamldockerfilecontainerpython3podman
Overview

Why?

  • restrict scope of file system access
  • run any application without root privileges
  • creates usable "Desktop applications" to integrate into your normal workflow
  • cut network access for applications that work with confidential stuff to prevent accidental leakage
  • set MEM and CPU boundaries for your applications
  • easy rollback with version pinning
  • works on wayland
  • gameplayerspecial

Installation:

Tested and verified:

  • Fedora 35
  • Ubuntu 21.10
  • Debian 11.3

Fedora 35

sudo dnf install python3-pip
pip install --user pyyaml
pip install --user jinja2
git clone https://github.com/mody5bundle/capps && cd capps/
checkmodule -M -m -o capps.mod capps.te
semodule_package -o capps.pp -m capps.mod
sudo semodule -i capps.pp
./capps.py -a firefox -d

Ubuntu 21.10

sudo apt install git python3 python3-pip podman
pip3 install jinja2
git clone https://github.com/mody5bundle/capps && cd capps/
./capps.py -a sandbox -d

Debian 11.3

sudo apt install git python3 python3-pip podman
pip3 install jinja2 pyyaml
git clone https://github.com/mody5bundle/capps && cd capps/
./capps.py -a spotify -d -s

Usage

capps.py [-h] [-a app1 app2 ... [app1 app2 ... ...]] [-c /path/to/config.yaml] [-b] [-r] [-i] [-v] [-s] [-d] [-l]

Start podman container apps.

options:
  -h, --help            show this help message and exit
  -a app1 app2 ... [app1 app2 ... ...], --application-list app1 app2 ... [app1 app2 ... ...]
                        List of applications to run as defined in config file
  -c /path/to/config.yaml, --config /path/to/config.yaml
                        Path to config file (defaults to config.yaml)
  -b, --build           (re)build list of provided apps
  -r, --run             run containers of all provided apps (default)
  -i, --install         install as desktop application
  -v, --verbose         enable verbose log output
  -s, --stats           enable stats output
  -d, --debug           enable debug log output
  -l, --list            print available container

Example container that gets Created

podman run --rm -d --hostname firefox \
--name firefox-$RANDOM \
--cap-drop=ALL \
--read-only=true \
--read-only-tmpfs=false \
--systemd=false \
--userns=keep-id \
--security-opt=no-new-privileges \
--memory=2048mb \
--cap-add cap_sys_chroot \
--volume $HOME/Downloads/:/home/firefox/Downloads:rw \
--volume /run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro \
--volume $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro \
localhost/firefox

Example config file for firefox

default_permissions: &default_permissions
  cap-drop: ALL
  read-only: true
  read-only-tmpfs: true
  systemd: false
  userns: keep-id
  security-opt: "no-new-privileges"
volumes:
  - &sound "/run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro"
  - &wayland "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro"
  - &x11 /tmp/.X11-unix:/tmp/.X11-unix:ro
container:
  firefox:
    versioncmd: "firefox --version | awk \"'\"{print \\$3}\"'\""
    repo: "localhost"
    file: "firefox.dockerfile"
    path: "./container/firefox/"
    icon: "firefox.png"
    permissions:
      memory: 2048mb
      <<: *default_permissions
      read-only-tmpfs: false
      cap-add:
        - "cap_sys_chroot"
      volume:
        - "$HOME/Downloads/:/home/firefox/Downloads:rw"
        - *sound
        - *wayland

list images

./capps.py -l
Available Containers in config:
firefox: 	Mem: 2048mb, 	Capabilities:  ['cap_sys_chroot'], 	cap-drop: ALL
Available images on host for firefox:
['localhost/firefox:latest', 'localhost/firefox:98.0']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1178 MB	 	3391 Minutes old.
['localhost/firefox:97.0.1']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1182 MB	 	26452 Minutes old.
['localhost/firefox:96.0']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1156 MB	 	96024 Minutes old.

get stats on started container

./capps.py -a firefox -s
NAME			MEM			  CPU	 READ/WRITE   PIDS
firefox-18685:	 232.1MB / 2.147GB / 10.81% 	 3.17% 	 -- / -- 57
firefox-18685:	 497.1MB / 2.147GB / 23.15% 	 2.24% 	 0B / 2.049MB 226

Selinux:

cat capps.te
checkmodule -M -m -o capps.mod capps.te
semodule_package -o capps.pp -m capps.mod
semodule -i capps.pp
rm -rf capps.{pp,mod}
Owner
GitHub Repository
Consistency Regularization for Adversarial Robustness

Consistency Regularization for Adversarial Robustness Official PyTorch implementation of Consistency Regularization for Adversarial Robustness by Jiho

40 Dec 17, 2022
CVPR 2021

Smoothing the Disentangled Latent Style Space for Unsupervised Image-to-image Translation [Paper] | [Poster] | [Codes] Yahui Liu1,3, Enver Sangineto1,

Yahui Liu 37 Sep 12, 2022
FNet Implementation with TensorFlow & PyTorch

FNet Implementation with TensorFlow & PyTorch. TensorFlow & PyTorch implementation of the paper "FNet: Mixing Tokens with Fourier Transforms". Overvie

Abdelghani Belgaid 1 Feb 12, 2022
Starter code for the ICCV 2021 paper, 'Detecting Invisible People'

Detecting Invisible People [ICCV 2021 Paper] [Website] Tarasha Khurana, Achal Dave, Deva Ramanan Introduction This repository contains code for Detect

Tarasha Khurana 28 Sep 16, 2022
Co-GAIL: Learning Diverse Strategies for Human-Robot Collaboration

CoGAIL Table of Content Overview Installation Dataset Training Evaluation Trained Checkpoints Acknowledgement Citations License Overview This reposito

Jeremy Wang 29 Dec 24, 2022
Least Square Calibration for Peer Reviews

Least Square Calibration for Peer Reviews Requirements gurobipy - for solving convex programs GPy - for Bayesian baseline numpy pandas To generate p

Sigma <a href=[email protected]"> 1 Nov 01, 2021
💡 Learnergy is a Python library for energy-based machine learning models.

Learnergy: Energy-based Machine Learners Welcome to Learnergy. Did you ever reach a bottleneck in your computational experiments? Are you tired of imp

Gustavo Rosa 57 Nov 17, 2022
Dungeons and Dragons randomized content generator

Component based Dungeons and Dragons generator Supports Entity/Monster Generation NPC Generation Weapon Generation Encounter Generation Environment Ge

Zac 3 Dec 04, 2021
Official implementation of the paper DeFlow: Learning Complex Image Degradations from Unpaired Data with Conditional Flows

DeFlow: Learning Complex Image Degradations from Unpaired Data with Conditional Flows Official implementation of the paper DeFlow: Learning Complex Im

Valentin Wolf 86 Nov 16, 2022
Learning Dense Representations of Phrases at Scale (Lee et al., 2020)

DensePhrases DensePhrases provides answers to your natural language questions from the entire Wikipedia in real-time. While it efficiently searches th

Princeton Natural Language Processing 540 Dec 30, 2022
Baleen: Robust Multi-Hop Reasoning at Scale via Condensed Retrieval (NeurIPS'21)

Baleen Baleen is a state-of-the-art model for multi-hop reasoning, enabling scalable multi-hop search over massive collections for knowledge-intensive

Stanford Future Data Systems 22 Dec 05, 2022
Syntax-Aware Action Targeting for Video Captioning

Syntax-Aware Action Targeting for Video Captioning Code for SAAT from "Syntax-Aware Action Targeting for Video Captioning" (Accepted to CVPR 2020). Th

59 Oct 13, 2022
MagFace: A Universal Representation for Face Recognition and Quality Assessment

MagFace MagFace: A Universal Representation for Face Recognition and Quality Assessment in IEEE Conference on Computer Vision and Pattern Recognition

Qiang Meng 523 Jan 05, 2023
Kernel Point Convolutions

Created by Hugues THOMAS Introduction Update 27/04/2020: New PyTorch implementation available. With SemanticKitti, and Windows supported. This reposit

Hugues THOMAS 584 Jan 07, 2023
object recognition with machine learning on Respberry pi

Respberrypi_object-recognition object recognition with machine learning on Respberry pi line.py 建立一支與樹梅派連線的 linebot 使用此 linebot 遠端控制樹梅派拍照 config.ini l

1 Dec 11, 2021
An efficient 3D semantic segmentation framework for Urban-scale point clouds like SensatUrban, Campus3D, etc.

An efficient 3D semantic segmentation framework for Urban-scale point clouds like SensatUrban, Campus3D, etc.

Zou 33 Jan 03, 2023
Repository relating to the CVPR21 paper TimeLens: Event-based Video Frame Interpolation

TimeLens: Event-based Video Frame Interpolation This repository is about the High Speed Event and RGB (HS-ERGB) dataset, used in the 2021 CVPR paper T

Robotics and Perception Group 544 Dec 19, 2022
My coursework for Machine Learning (2021 Spring) at National Taiwan University (NTU)

Machine Learning 2021 Machine Learning (NTU EE 5184, Spring 2021) Instructor: Hung-yi Lee Course Website : (https://speech.ee.ntu.edu.tw/~hylee/ml/202

100 Dec 26, 2022
This repository is a series of notebooks that show solutions for the projects at Dataquest.io.

Dataquest Project Solutions This repository is a series of notebooks that show solutions for the projects at Dataquest.io. Of course, there are always

Dataquest 1.1k Dec 30, 2022
PlenOctrees: NeRF-SH Training & Conversion

PlenOctrees Official Repo: NeRF-SH training and conversion This repository contains code to train NeRF-SH and to extract the PlenOctree, constituting

Alex Yu 323 Dec 29, 2022