Run containerized, rootless applications with podman

Overview

Why?

  • restrict scope of file system access
  • run any application without root privileges
  • creates usable "Desktop applications" to integrate into your normal workflow
  • cut network access for applications that work with confidential stuff to prevent accidental leakage
  • set MEM and CPU boundaries for your applications
  • easy rollback with version pinning
  • works on wayland
  • gameplayerspecial

Installation:

Tested and verified:

  • Fedora 35
  • Ubuntu 21.10
  • Debian 11.3

Fedora 35

sudo dnf install python3-pip
pip install --user pyyaml
pip install --user jinja2
git clone https://github.com/mody5bundle/capps && cd capps/
checkmodule -M -m -o capps.mod capps.te
semodule_package -o capps.pp -m capps.mod
sudo semodule -i capps.pp
./capps.py -a firefox -d

Ubuntu 21.10

sudo apt install git python3 python3-pip podman
pip3 install jinja2
git clone https://github.com/mody5bundle/capps && cd capps/
./capps.py -a sandbox -d

Debian 11.3

sudo apt install git python3 python3-pip podman
pip3 install jinja2 pyyaml
git clone https://github.com/mody5bundle/capps && cd capps/
./capps.py -a spotify -d -s

Usage

capps.py [-h] [-a app1 app2 ... [app1 app2 ... ...]] [-c /path/to/config.yaml] [-b] [-r] [-i] [-v] [-s] [-d] [-l]

Start podman container apps.

options:
  -h, --help            show this help message and exit
  -a app1 app2 ... [app1 app2 ... ...], --application-list app1 app2 ... [app1 app2 ... ...]
                        List of applications to run as defined in config file
  -c /path/to/config.yaml, --config /path/to/config.yaml
                        Path to config file (defaults to config.yaml)
  -b, --build           (re)build list of provided apps
  -r, --run             run containers of all provided apps (default)
  -i, --install         install as desktop application
  -v, --verbose         enable verbose log output
  -s, --stats           enable stats output
  -d, --debug           enable debug log output
  -l, --list            print available container

Example container that gets Created

podman run --rm -d --hostname firefox \
--name firefox-$RANDOM \
--cap-drop=ALL \
--read-only=true \
--read-only-tmpfs=false \
--systemd=false \
--userns=keep-id \
--security-opt=no-new-privileges \
--memory=2048mb \
--cap-add cap_sys_chroot \
--volume $HOME/Downloads/:/home/firefox/Downloads:rw \
--volume /run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro \
--volume $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro \
localhost/firefox

Example config file for firefox

default_permissions: &default_permissions
  cap-drop: ALL
  read-only: true
  read-only-tmpfs: true
  systemd: false
  userns: keep-id
  security-opt: "no-new-privileges"
volumes:
  - &sound "/run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro"
  - &wayland "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro"
  - &x11 /tmp/.X11-unix:/tmp/.X11-unix:ro
container:
  firefox:
    versioncmd: "firefox --version | awk \"'\"{print \\$3}\"'\""
    repo: "localhost"
    file: "firefox.dockerfile"
    path: "./container/firefox/"
    icon: "firefox.png"
    permissions:
      memory: 2048mb
      <<: *default_permissions
      read-only-tmpfs: false
      cap-add:
        - "cap_sys_chroot"
      volume:
        - "$HOME/Downloads/:/home/firefox/Downloads:rw"
        - *sound
        - *wayland

list images

./capps.py -l
Available Containers in config:
firefox: 	Mem: 2048mb, 	Capabilities:  ['cap_sys_chroot'], 	cap-drop: ALL
Available images on host for firefox:
['localhost/firefox:latest', 'localhost/firefox:98.0']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1178 MB	 	3391 Minutes old.
['localhost/firefox:97.0.1']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1182 MB	 	26452 Minutes old.
['localhost/firefox:96.0']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1156 MB	 	96024 Minutes old.

get stats on started container

./capps.py -a firefox -s
NAME			MEM			  CPU	 READ/WRITE   PIDS
firefox-18685:	 232.1MB / 2.147GB / 10.81% 	 3.17% 	 -- / -- 57
firefox-18685:	 497.1MB / 2.147GB / 23.15% 	 2.24% 	 0B / 2.049MB 226

Selinux:

cat capps.te
checkmodule -M -m -o capps.mod capps.te
semodule_package -o capps.pp -m capps.mod
semodule -i capps.pp
rm -rf capps.{pp,mod}
Deep Hedging Demo - An Example of Using Machine Learning for Derivative Pricing.

Deep Hedging Demo Pricing Derivatives using Machine Learning 1) Jupyter version: Run ./colab/deep_hedging_colab.ipynb on Colab. 2) Gui version: Run py

Yu Man Tam 102 Jan 06, 2023
Bootstrapped Representation Learning on Graphs

Bootstrapped Representation Learning on Graphs This is the PyTorch implementation of BGRL Bootstrapped Representation Learning on Graphs The main scri

NerDS Lab :: Neural Data Science Lab 55 Jan 07, 2023
Who calls the shots? Rethinking Few-Shot Learning for Audio (WASPAA 2021)

rethink-audio-fsl This repo contains the source code for the paper "Who calls the shots? Rethinking Few-Shot Learning for Audio." (WASPAA 2021) Table

Yu Wang 34 Dec 24, 2022
codes for "Scheduled Sampling Based on Decoding Steps for Neural Machine Translation" (long paper of EMNLP-2022)

Scheduled Sampling Based on Decoding Steps for Neural Machine Translation (EMNLP-2021 main conference) Contents Overview Background Quick to Use Furth

Adaxry 13 Jul 25, 2022
Namish Khanna 40 Oct 11, 2022
Source code for 2021 ICCV paper "In-the-Wild Single Camera 3D Reconstruction Through Moving Water Surfaces"

In-the-Wild Single Camera 3D Reconstruction Through Moving Water Surfaces This is the PyTorch implementation for 2021 ICCV paper "In-the-Wild Single C

27 Dec 06, 2022
GalaXC: Graph Neural Networks with Labelwise Attention for Extreme Classification

GalaXC GalaXC: Graph Neural Networks with Labelwise Attention for Extreme Classification @InProceedings{Saini21, author = {Saini, D. and Jain,

Extreme Classification 28 Dec 05, 2022
Official implementation of Rich Semantics Improve Few-Shot Learning (BMVC, 2021)

Rich Semantics Improve Few-Shot Learning Paper Link Abstract : Human learning benefits from multi-modal inputs that often appear as rich semantics (e.

Mohamed Afham 11 Jul 26, 2022
This is the repository for Learning to Generate Piano Music With Sustain Pedals

SusPedal-Gen This is the official repository of Learning to Generate Piano Music With Sustain Pedals Demo Page Dataset The dataset used in this projec

Joann Ching 12 Sep 02, 2022
Code to generate datasets used in "How Useful is Self-Supervised Pretraining for Visual Tasks?"

Synthetic dataset rendering Framework for producing the synthetic datasets used in: How Useful is Self-Supervised Pretraining for Visual Tasks? Alejan

Princeton Vision & Learning Lab 21 Apr 29, 2022
NAS-Bench-x11 and the Power of Learning Curves

NAS-Bench-x11 NAS-Bench-x11 and the Power of Learning Curves Shen Yan, Colin White, Yash Savani, Frank Hutter. NeurIPS 2021. Surrogate NAS benchmarks

AutoML-Freiburg-Hannover 13 Nov 18, 2022
Final project code: Implementing BicycleGAN, for CIS680 FA21 at University of Pennsylvania

680 Final Project: BicycleGAN Haoran Tang Instructions 1. Training To train the network, please run train.py. Change hyper-parameters and folder paths

Haoran Tang 0 Apr 22, 2022
The official github repository for Towards Continual Knowledge Learning of Language Models

Towards Continual Knowledge Learning of Language Models This is the official github repository for Towards Continual Knowledge Learning of Language Mo

Joel Jang | 장요엘 65 Jan 07, 2023
Supplementary code for TISMIR paper "Sliding-Window Pitch-Class Histograms as a Means of Modeling Musical Form"

Sliding-Window Pitch-Class Histograms as a Means of Modeling Musical Form This is supplementary code for the TISMIR paper Sliding-Window Pitch-Class H

1 Nov 27, 2021
A task-agnostic vision-language architecture as a step towards General Purpose Vision

Towards General Purpose Vision Systems By Tanmay Gupta, Amita Kamath, Aniruddha Kembhavi, and Derek Hoiem Overview Welcome to the official code base f

AI2 79 Dec 23, 2022
Auxiliary Raw Net (ARawNet) is a ASVSpoof detection model taking both raw waveform and handcrafted features as inputs, to balance the trade-off between performance and model complexity.

Overview This repository is an implementation of the Auxiliary Raw Net (ARawNet), which is ASVSpoof detection system taking both raw waveform and hand

6 Jul 08, 2022
[AAAI-2021] Visual Boundary Knowledge Translation for Foreground Segmentation

Trans-Net Code for (Visual Boundary Knowledge Translation for Foreground Segmentation, AAAI2021). [https://ojs.aaai.org/index.php/AAAI/article/view/16

ZJU-VIPA 2 Mar 04, 2022
ICNet for Real-Time Semantic Segmentation on High-Resolution Images, ECCV2018

ICNet for Real-Time Semantic Segmentation on High-Resolution Images by Hengshuang Zhao, Xiaojuan Qi, Xiaoyong Shen, Jianping Shi, Jiaya Jia, details a

Hengshuang Zhao 594 Dec 31, 2022
Let Python optimize the best stop loss and take profits for your TradingView strategy.

TradingView Machine Learning TradeView is a free and open source Trading View bot written in Python. It is designed to support all major exchanges. It

Robert Roman 473 Jan 09, 2023
Bi-level feature alignment for versatile image translation and manipulation (Under submission of TPAMI)

Bi-level feature alignment for versatile image translation and manipulation (Under submission of TPAMI) Preparation Clone the Synchronized-BatchNorm-P

Fangneng Zhan 12 Aug 10, 2022