Project Description
This is a continuation of last year project: trying to move more components from MicroOS Desktop from the hostOS to container.
Goal for this Hackweek
- investigate issues in gdm container ( https://github.com/fcrozat/gdm-container ) when installed on bare system
- test flatpak builds on OBS
- test flatpak shipped as OCI container
- continue my quest to move more "desktop like" workload into containers, such as rclone / restic ( https://github.com/fcrozat/rclone-container )
Looking for hackers with the skills:
This project is part of:
Hack Week 21
Activity
Comments
-
over 3 years ago by fcrozat | Reply
State of the Art regarding Flatpak and OCI containers:
- Flatpak can be distributed two ways:
- as ostree directly
- as ostree but bundled into OCI containers
- For building flatpak as OCI:
- you need a local build stored as ostree (usually done using flatpak build)
- local ostree is bundled as OCI tarball using "flatpak build-bundle --oci" (option --runtime to create runtime flatpak)
- Fedora has created some tooling around this https://pagure.io/flatpak-module-tools but they are relying on Fedora Modularity
- additional Fedora documentation: https://docs.fedoraproject.org/en-US/flatpak/tutorial/
- caveat of using OCI for flatpak:
- download size when upgrading: https://groups.google.com/a/opencontainers.org/g/dev/c/daBUKI3KkRk/m/Gb2tFXMGAQAJ
- GPG signature not implemented for containers: https://github.com/flatpak/flatpak/blob/4247e61fbe8ffc9f6b095240159f53f73568378c/app/flatpak-builtins-remote-add.c#L348-L351
- cosign not implemented
- currently, distributing flatpak using OCI registry requiring additional http(s) server to provide index of all flatpak available on the repository:
- this is why the uri used for those is oci+http or oci+https
- this customization doesn't make easy to publish flatpak on any random OCI registry
- this customization is badly documented (or at least, difficult to find online):
- some discussions were done at opencontainer level : https://groups.google.com/a/opencontainers.org/g/dev/c/ehjHDL4uPJE?pli=1
- there is a blog post at https://opencontainers.org/posts/blog/2018-11-07-bringing-oci-images-to-the-desktop-with-flatpak/
- the protocol is https://github.com/owtaylor/flagstate/blob/master/docs/protocol.md
- initial implementation at https://github.com/owtaylor/flagstate/
- production implementation for the indexer is https://github.com/owtaylor/flatpak-indexer but is RH infrastructure specific
- End results is visible at https://registry.fedoraproject.org/static/ (corresponding to oci+https://registry.fedoraproject.org/ )
- some people were able to "duplicate" this using github workflow : https://github.com/TheEvilSkeleton/flatpak-remote
- the static page part is at https://github.com/TheEvilSkeleton/flatpak-remote/blob/main/.github/workflows/flatpak.yml#L148=
- As this requires custom development to get this working with our infrastructure, it makes no sense to invest supporting oci+https
- upstream has a issue opened to switch to "pure" OCI registry:
- https://github.com/flatpak/flatpak/issues/4744
- this is a new feature request upstream and it still at discussion phase. We should participate actively (contribute ideas or even code) if we want to switch to Flatpak over OCI
- On OCI front, there is not support for a search api (see https://github.com/distribution/distribution/issues/206 and https://github.com/opencontainers/distribution-spec/issues/71 ) but I might have missed some upstream discussions. We should ask our OCI specialists at SUSE. There was a proposal for a _catalog api but it was dropped https://github.com/opencontainers/distribution-spec/issues/22
- Flatpak can be distributed two ways:
-
Similar Projects
Help Create A Chat Control Resistant Turnkey Chatmail/Deltachat Relay Stack - Rootless Podman Compose, OpenSUSE BCI, Hardened, & SELinux by 3nd5h1771fy
Description
The Mission: Decentralized & Sovereign Messaging
FYI: If you have never heard of "Chatmail", you can visit their site here, but simply put it can be thought of as the underlying protocol/platform decentralized messengers like DeltaChat use for their communications. Do not confuse it with the honeypot looking non-opensource paid for prodect with better seo that directs you to chatmailsecure(dot)com
In an era of increasing centralized surveillance by unaccountable bad actors (aka BigTech), "Chat Control," and the erosion of digital privacy, the need for sovereign communication infrastructure is critical. Chatmail is a pioneering initiative that bridges the gap between classic email and modern instant messaging, offering metadata-minimized, end-to-end encrypted (E2EE) communication that is interoperable and open.
However, unless you are a seasoned sysadmin, the current recommended deployment method of a Chatmail relay is rigid, fragile, difficult to properly secure, and effectively takes over the entire host the "relay" is deployed on.
Why This Matters
A simple, host agnostic, reproducible deployment lowers the entry cost for anyone wanting to run a privacy‑preserving, decentralized messaging relay. In an era of perpetually resurrected chat‑control legislation threats, EU digital‑sovereignty drives, and many dangers of using big‑tech messaging platforms (Apple iMessage, WhatsApp, FB Messenger, Instagram, SMS, Google Messages, etc...) for any type of communication, providing an easy‑to‑use alternative empowers:
- Censorship resistance - No single entity controls the relay; operators can spin up new nodes quickly.
- Surveillance mitigation - End‑to‑end OpenPGP encryption ensures relay operators never see plaintext.
- Digital sovereignty - Communities can host their own infrastructure under local jurisdiction, aligning with national data‑policy goals.
By turning the Chatmail relay into a plug‑and‑play container stack, we enable broader adoption, foster a resilient messaging fabric, and give developers, activists, and hobbyists a concrete tool to defend privacy online.
Goals
As I indicated earlier, this project aims to drastically simplify the deployment of Chatmail relay. By converting this architecture into a portable, containerized stack using Podman and OpenSUSE base container images, we can allow anyone to deploy their own censorship-resistant, privacy-preserving communications node in minutes.
Our goal for Hack Week: package every component into containers built on openSUSE/MicroOS base images, initially orchestrated with a single container-compose.yml (podman-compose compatible). The stack will:
- Run on any host that supports Podman (including optimizations and enhancements for SELinux‑enabled systems).
- Allow network decoupling by refactoring configurations to move from file-system constrained Unix sockets to internal TCP networking, allowing containers achieve stricter isolation.
- Utilize Enhanced Security with SELinux by using purpose built utilities such as udica we can quickly generate custom SELinux policies for the container stack, ensuring strict confinement superior to standard/typical Docker deployments.
- Allow the use of bind or remote mounted volumes for shared data (
/var/vmail, DKIM keys, TLS certs, etc.). - Replace the local DNS server requirement with a remote DNS‑provider API for DKIM/TXT record publishing.
By delivering a turnkey, host agnostic, reproducible deployment, we lower the barrier for individuals and small communities to launch their own chatmail relays, fostering a decentralized, censorship‑resistant messaging ecosystem that can serve DeltaChat users and/or future services adopting this protocol
Resources
- The links included above
- https://chatmail.at/doc/relay/
- https://delta.chat/en/help
- Project repo -> https://codeberg.org/EndShittification/containerized-chatmail-relay
Technical talks at universities by agamez
Description
This project aims to empower the next generation of tech professionals by offering hands-on workshops on containerization and Kubernetes, with a strong focus on open-source technologies. By providing practical experience with these cutting-edge tools and fostering a deep understanding of open-source principles, we aim to bridge the gap between academia and industry.
For now, the scope is limited to Spanish universities, since we already have the contacts and have started some conversations.
Goals
- Technical Skill Development: equip students with the fundamental knowledge and skills to build, deploy, and manage containerized applications using open-source tools like Kubernetes.
- Open-Source Mindset: foster a passion for open-source software, encouraging students to contribute to open-source projects and collaborate with the global developer community.
- Career Readiness: prepare students for industry-relevant roles by exposing them to real-world use cases, best practices, and open-source in companies.
Resources
- Instructors: experienced open-source professionals with deep knowledge of containerization and Kubernetes.
- SUSE Expertise: leverage SUSE's expertise in open-source technologies to provide insights into industry trends and best practices.
Rewrite Distrobox in go (POC) by fabriziosestito
Description
Rewriting Distrobox in Go.
Main benefits:
- Easier to maintain and to test
- Adapter pattern for different container backends (LXC, systemd-nspawn, etc.)
Goals
- Build a minimal starting point with core commands
- Keep the CLI interface compatible: existing users shouldn't notice any difference
- Use a clean Go architecture with adapters for different container backends
- Keep dependencies minimal and binary size small
- Benchmark against the original shell script
Resources
- Upstream project: https://github.com/89luca89/distrobox/
- Distrobox site: https://distrobox.it/
- ArchWiki: https://wiki.archlinux.org/title/Distrobox