Run containerized, rootless applications with podman

Related tags

Deep Learningyamldockerfilecontainerpython3podman
Overview

Why?

  • restrict scope of file system access
  • run any application without root privileges
  • creates usable "Desktop applications" to integrate into your normal workflow
  • cut network access for applications that work with confidential stuff to prevent accidental leakage
  • set MEM and CPU boundaries for your applications
  • easy rollback with version pinning
  • works on wayland
  • gameplayerspecial

Installation:

Tested and verified:

  • Fedora 35
  • Ubuntu 21.10
  • Debian 11.3

Fedora 35

sudo dnf install python3-pip
pip install --user pyyaml
pip install --user jinja2
git clone https://github.com/mody5bundle/capps && cd capps/
checkmodule -M -m -o capps.mod capps.te
semodule_package -o capps.pp -m capps.mod
sudo semodule -i capps.pp
./capps.py -a firefox -d

Ubuntu 21.10

sudo apt install git python3 python3-pip podman
pip3 install jinja2
git clone https://github.com/mody5bundle/capps && cd capps/
./capps.py -a sandbox -d

Debian 11.3

sudo apt install git python3 python3-pip podman
pip3 install jinja2 pyyaml
git clone https://github.com/mody5bundle/capps && cd capps/
./capps.py -a spotify -d -s

Usage

capps.py [-h] [-a app1 app2 ... [app1 app2 ... ...]] [-c /path/to/config.yaml] [-b] [-r] [-i] [-v] [-s] [-d] [-l]

Start podman container apps.

options:
  -h, --help            show this help message and exit
  -a app1 app2 ... [app1 app2 ... ...], --application-list app1 app2 ... [app1 app2 ... ...]
                        List of applications to run as defined in config file
  -c /path/to/config.yaml, --config /path/to/config.yaml
                        Path to config file (defaults to config.yaml)
  -b, --build           (re)build list of provided apps
  -r, --run             run containers of all provided apps (default)
  -i, --install         install as desktop application
  -v, --verbose         enable verbose log output
  -s, --stats           enable stats output
  -d, --debug           enable debug log output
  -l, --list            print available container

Example container that gets Created

podman run --rm -d --hostname firefox \
--name firefox-$RANDOM \
--cap-drop=ALL \
--read-only=true \
--read-only-tmpfs=false \
--systemd=false \
--userns=keep-id \
--security-opt=no-new-privileges \
--memory=2048mb \
--cap-add cap_sys_chroot \
--volume $HOME/Downloads/:/home/firefox/Downloads:rw \
--volume /run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro \
--volume $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro \
localhost/firefox

Example config file for firefox

default_permissions: &default_permissions
  cap-drop: ALL
  read-only: true
  read-only-tmpfs: true
  systemd: false
  userns: keep-id
  security-opt: "no-new-privileges"
volumes:
  - &sound "/run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro"
  - &wayland "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro"
  - &x11 /tmp/.X11-unix:/tmp/.X11-unix:ro
container:
  firefox:
    versioncmd: "firefox --version | awk \"'\"{print \\$3}\"'\""
    repo: "localhost"
    file: "firefox.dockerfile"
    path: "./container/firefox/"
    icon: "firefox.png"
    permissions:
      memory: 2048mb
      <<: *default_permissions
      read-only-tmpfs: false
      cap-add:
        - "cap_sys_chroot"
      volume:
        - "$HOME/Downloads/:/home/firefox/Downloads:rw"
        - *sound
        - *wayland

list images

./capps.py -l
Available Containers in config:
firefox: 	Mem: 2048mb, 	Capabilities:  ['cap_sys_chroot'], 	cap-drop: ALL
Available images on host for firefox:
['localhost/firefox:latest', 'localhost/firefox:98.0']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1178 MB	 	3391 Minutes old.
['localhost/firefox:97.0.1']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1182 MB	 	26452 Minutes old.
['localhost/firefox:96.0']	Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window']	Size: 1156 MB	 	96024 Minutes old.

get stats on started container

./capps.py -a firefox -s
NAME			MEM			  CPU	 READ/WRITE   PIDS
firefox-18685:	 232.1MB / 2.147GB / 10.81% 	 3.17% 	 -- / -- 57
firefox-18685:	 497.1MB / 2.147GB / 23.15% 	 2.24% 	 0B / 2.049MB 226

Selinux:

cat capps.te
checkmodule -M -m -o capps.mod capps.te
semodule_package -o capps.pp -m capps.mod
semodule -i capps.pp
rm -rf capps.{pp,mod}
Owner
GitHub Repository
Deep Learning for Morphological Profiling

Deep Learning for Morphological Profiling An end-to-end implementation of a ML System for morphological profiling using self-supervised learning to di

Danielh Carranza 0 Jan 20, 2022
Transfer Learning library for Deep Neural Networks.

Transfer and meta-learning in Python Each folder in this repository corresponds to a method or tool for transfer/meta-learning. xfer-ml is a standalon

Amazon 245 Dec 08, 2022
Nonuniform-to-Uniform Quantization: Towards Accurate Quantization via Generalized Straight-Through Estimation. In CVPR 2022.

Nonuniform-to-Uniform Quantization This repository contains the training code of N2UQ introduced in our CVPR 2022 paper: "Nonuniform-to-Uniform Quanti

Zechun Liu 60 Dec 28, 2022
Source code of "Hold me tight! Influence of discriminative features on deep network boundaries"

Hold me tight! Influence of discriminative features on deep network boundaries This is the source code to reproduce the experiments of the NeurIPS 202

EPFL LTS4 19 Dec 10, 2021
Landmarks Recogntion Web application using Streamlit.

Landmark Recognition Web-App using Streamlit Watch Tutorial for this project Source Trained model landmarks_classifier_asia_V1/1 is taken from the Ten

Kushal Bhavsar 5 Dec 12, 2022
Learning Off-Policy with Online Planning, CoRL 2021

LOOP: Learning Off-Policy with Online Planning Accepted in Conference of Robot Learning (CoRL) 2021. Harshit Sikchi, Wenxuan Zhou, David Held Paper In

Harshit Sikchi 24 Nov 22, 2022
An implementation of the [Hierarchical (Sig-Wasserstein) GAN] algorithm for large dimensional Time Series Generation

Hierarchical GAN for large dimensional financial market data Implementation This repository is an implementation of the [Hierarchical (Sig-Wasserstein

11 Nov 29, 2022
A python-image-classification web application project, written in Python and served through the Flask Microframework

A python-image-classification web application project, written in Python and served through the Flask Microframework. This Project implements the VGG16 covolutional neural network, through Keras and

Gerald Maduabuchi 19 Dec 12, 2022
Meta-meta-learning with evolution and plasticity

Evolve plastic networks to be able to automatically acquire novel cognitive (meta-learning) tasks

5 Jun 28, 2022
A benchmark for the task of translation suggestion

WeTS: A Benchmark for Translation Suggestion Translation Suggestion (TS), which provides alternatives for specific words or phrases given the entire d

zhyang 55 Dec 24, 2022
The pyrelational package offers a flexible workflow to enable active learning with as little change to the models and datasets as possible

pyrelational is a python active learning library developed by Relation Therapeutics for rapidly implementing active learning pipelines from data management, model development (and Bayesian approximat

Relation Therapeutics 95 Dec 27, 2022
Draw like Bob Ross using the power of Neural Networks (With PyTorch)!

Draw like Bob Ross using the power of Neural Networks! (+ Pytorch) Learning Process Visualization Getting started Install dependecies Requires python3

Kendrick Tan 116 Mar 07, 2022
Standalone pre-training recipe with JAX+Flax

Sabertooth Sabertooth is standalone pre-training recipe based on JAX+Flax, with data pipelines implemented in Rust. It runs on CPU, GPU, and/or TPU, b

Nikita Kitaev 26 Nov 28, 2022
Adversarial vulnerability of powerful near out-of-distribution detection

Adversarial vulnerability of powerful near out-of-distribution detection by Stanislav Fort In this repository we're collecting replications for the ke

Stanislav Fort 9 Aug 30, 2022
Code release of paper "Deep Multi-View Stereo gone wild"

Deep MVS gone wild Pytorch implementation of "Deep MVS gone wild" (Paper | website) This repository provides the code to reproduce the experiments of

François Darmon 53 Dec 24, 2022
Pairwise model for commonlit competition

Pairwise model for commonlit competition To run: - install requirements - create input directory with train_folds.csv and other competition data - cd

abhishek thakur 45 Aug 31, 2022
Using Clinical Drug Representations for Improving Mortality and Length of Stay Predictions

Using Clinical Drug Representations for Improving Mortality and Length of Stay Predictions Usage Clone the code to local. https://github.com/tanlab/MI

Computational Biology and Machine Learning lab @ TOBB ETU 3 Oct 18, 2022
Convex optimization for fun and profit.

CFMM Optimal Routing This repository contains the code needed to generate the figures used in the paper Optimal Routing for Constant Function Market M

Guillermo Angeris 183 Dec 29, 2022
Toward Multimodal Image-to-Image Translation

BicycleGAN Project Page | Paper | Video Pytorch implementation for multimodal image-to-image translation. For example, given the same night image, our

Jun-Yan Zhu 1.4k Dec 22, 2022
Adaptive Pyramid Context Network for Semantic Segmentation (APCNet CVPR'2019)

Adaptive Pyramid Context Network for Semantic Segmentation (APCNet CVPR'2019) Introduction Official implementation of Adaptive Pyramid Context Network

21 Nov 09, 2022