Comments

• 

  over 1 year ago by dfaggioli | Reply

  Sounds interesting. Tools like toolbox (https://github.com/openSUSE/microos-toolbox) and distrobox (https://github.com/89luca89/distrobox) achieve something like that. In fact, they do achieve the goal of running a browser (as well as pretty much any GUI app) from inside a container. They, however, are not meant for providing strong isolation (if any real "strong" isolation can even be provided with containers), so a lot of the host is shared inside of the container.

  This, of course, can be changed/restricted. Those project are not really interested in turning themselves into strong sandboxing solutions, but maybe they can be looked up, to take inspiration.

  For more information, see: https://github.com/89luca89/distrobox/issues/28 and/or: https://github.com/openSUSE/microos-toolbox/blob/master/toolbox#L197

  Note also that there are other similar tools (like Silverblue tlbox, written in Go instead than in bash), that it could be interesting to check.

×
Edit Comment 6670
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
Sounds interesting. Tools like toolbox (https://github.com/openSUSE/microos-toolbox) and distrobox (https://github.com/89luca89/distrobox) achieve something like that. In fact, they do achieve the goal of running a browser (as well as pretty much any GUI app) from inside a container. They, however, are not meant for providing strong isolation (if any real "strong" isolation can even be provided with containers), so a lot of the host is shared inside of the container. This, of course, can be changed/restricted. Those project are not really interested in turning themselves into strong sandboxing solutions, but maybe they can be looked up, to take inspiration. For more information, see: https://github.com/89luca89/distrobox/issues/28 and/or: https://github.com/openSUSE/microos-toolbox/blob/master/toolbox#L197 Note also that there are other similar tools (like Silverblue tlbox, written in Go instead than in bash), that it could be interesting to check.
 
×
Reply to dfaggioli
Sounds interesting. Tools like toolbox (https://github.com/openSUSE/microos-toolbox) and distrobox (https://github.com/89luca89/distrobox) achieve something like that. In fact, they do achieve the goal of running a browser (as well as pretty much any GUI app) from inside a container. They, however, are not meant for providing strong isolation (if any real "strong" isolation can even be provided with containers), so a lot of the host is shared inside of the container.
This, of course, can be changed/restricted. Those project are not really interested in turning themselves into strong sandboxing solutions, but maybe they can be looked up, to take inspiration.
For more information, see: https://github.com/89luca89/distrobox/issues/28 and/or: https://github.com/openSUSE/microos-toolbox/blob/master/toolbox#L197
Note also that there are other similar tools (like Silverblue tlbox, written in Go instead than in bash), that it could be interesting to check.
---
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
 
• 

  over 1 year ago by nguyens | Reply

  Thanks a lot Dario! It worked out with a few tweaks to provide access to the X server and the DRI device files.

  • 

    about 1 year ago by dfaggioli | Reply

    Mmm... Cool and interesting! Can I ask you which tricks?

    • 

      9 months ago by nguyens | Reply

      Sorry, I missed your reply... Didn't see or get any notification.

      Here is the command line to run the firefox container in a podman container:

      sudo podman run -it --rm -u steph \ -e DISPLAY=$DISPLAY -e XAUTHORITY=$XAUTHORITY \ -v /dev/dri:/dev/dri \ -v /tmp/.X11-unix:/tmp/.X11-unix \ -v /run/user/1000/gdm:/run/user/1000/gdm \ -v /run/user/1000/pulse:/var/run/pulse \ -v ${DOWNLOAD_DIR}:/home/steph/Downloads \ ${IMAGE} firefox

      All the DISPLAY, XAUTHORITY stuff allows you to access your X server from the container. Mounting /dev/dri will support the direct rendering interface, avoiding the costly RPC calls.

    ×
    Edit Comment 7244
    # A First Level Header
    ## A Second Level Header
    
    Use one asterisk to *emphasize*
    
    Use two asterisks for **strong emphasis**
    
    * Use asterisks
    * for lists
    
    This is an [example link](http://example.com/)
    
    This is an ![example image](http://paste.opensuse.org/view/raw/68957446)
    
    This is a user link @hans
    
    This is a project link hw#some-cool-title
    
    More Complex Markdown Help
    Formatting Help
    • Edit
    • Preview
    Sorry, I missed your reply... Didn't see or get any notification. Here is the command line to run the firefox container in a podman container: sudo podman run -it --rm -u steph \ -e DISPLAY=$DISPLAY -e XAUTHORITY=$XAUTHORITY \ -v /dev/dri:/dev/dri \ -v /tmp/.X11-unix:/tmp/.X11-unix \ -v /run/user/1000/gdm:/run/user/1000/gdm \ -v /run/user/1000/pulse:/var/run/pulse \ -v ${DOWNLOAD_DIR}:/home/steph/Downloads \ ${IMAGE} firefox All the DISPLAY, XAUTHORITY stuff allows you to access your X server from the container. Mounting /dev/dri will support the direct rendering interface, avoiding the costly RPC calls.
     
    ×
    Reply to nguyens
    Sorry, I missed your reply... Didn't see or get any notification.
    Here is the command line to run the firefox container in a podman container:
    sudo podman run -it --rm -u steph \ -e DISPLAY=$DISPLAY -e XAUTHORITY=$XAUTHORITY \ -v /dev/dri:/dev/dri \ -v /tmp/.X11-unix:/tmp/.X11-unix \ -v /run/user/1000/gdm:/run/user/1000/gdm \ -v /run/user/1000/pulse:/var/run/pulse \ -v ${DOWNLOAD_DIR}:/home/steph/Downloads \ ${IMAGE} firefox
    All the DISPLAY, XAUTHORITY stuff allows you to access your X server from the container. Mounting /dev/dri will support the direct rendering interface, avoiding the costly RPC calls.
    ---
    # A First Level Header
    ## A Second Level Header
    
    Use one asterisk to *emphasize*
    
    Use two asterisks for **strong emphasis**
    
    * Use asterisks
    * for lists
    
    This is an [example link](http://example.com/)
    
    This is an ![example image](http://paste.opensuse.org/view/raw/68957446)
    
    This is a user link @hans
    
    This is a project link hw#some-cool-title
    
    More Complex Markdown Help
    Formatting Help
    • Edit
    • Preview
     
  ×
  Edit Comment 7199
  # A First Level Header
  ## A Second Level Header
  
  Use one asterisk to *emphasize*
  
  Use two asterisks for **strong emphasis**
  
  * Use asterisks
  * for lists
  
  This is an [example link](http://example.com/)
  
  This is an ![example image](http://paste.opensuse.org/view/raw/68957446)
  
  This is a user link @hans
  
  This is a project link hw#some-cool-title
  
  More Complex Markdown Help
  Formatting Help
  • Edit
  • Preview
  Mmm... Cool and interesting! Can I ask you which tricks?
   
  ×
  Reply to dfaggioli
  Mmm... Cool and interesting! Can I ask you which tricks?
  ---
  # A First Level Header
  ## A Second Level Header
  
  Use one asterisk to *emphasize*
  
  Use two asterisks for **strong emphasis**
  
  * Use asterisks
  * for lists
  
  This is an [example link](http://example.com/)
  
  This is an ![example image](http://paste.opensuse.org/view/raw/68957446)
  
  This is a user link @hans
  
  This is a project link hw#some-cool-title
  
  More Complex Markdown Help
  Formatting Help
  • Edit
  • Preview
   
×
Edit Comment 6836
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
Thanks a lot Dario! It worked out with a few tweaks to provide access to the X server and the DRI device files.
 
×
Reply to nguyens
Thanks a lot Dario! It worked out with a few tweaks to provide access to the X server and the DRI device files.
---
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview