Comment by webstrand

Comment by webstrand 4 days ago

I was just playing with bwrap for isolating npm project actions from the rest of my system.

    bwrap --unshare-pid --dev-bind / / --tmpfs /home --bind "$(pwd)" "$(pwd)" bash

it seems to work fairly well? But I just started playing with bwrap this weekend. I do wish bwrap could be told "put the program in this pre-prepared network namespace" because accessing unsecured local dev servers could also be an issue.

tommica 3 days ago

I had this idea of having toolbox+custom user for each project - that way it would be "simple" to have isolated environments, but it does lead to a lot of bloat. And I do think it is a naive solution.

Bwrap seems like a better option.

Reply View 3 replies

jeroenhd 3 days ago

I think a combination of custom users + a whole bunch of sandboxing is exactly what you'd get out of systemd-nspawn if you're willing to write the config: https://wiki.archlinux.org/title/Systemd-nspawn
bwrap seems a lot easier but if you want more control (or, for instance, want to run a Ubuntu basis because that's what a lot of games are compiled against), systemd-nspawn can be quite powerful.

Reply View | 0 replies
bflesch 3 days ago

thats how android does it. every app is different user.

Reply View | 1 reply
- tommica a day ago
  
  Oh really? That's a surprise
  
  Reply View | 0 replies