A package manager which facilitates Arch-based bubblewrap containers.
Find a file
Xavier Moffett 722cd18fa6
Deserialize 'ro' and 'rw' strs into Permission enum
- Implement serde Serializer and Deserializer for the Permission enum in
  Filesystem module.
- Breaking: Refactor ExecutionArgs API, combining the 'robind' and
  'bind' functions into a single function named 'bind'.
2024-11-16 23:48:03 -05:00
.forgejo/workflows Add Update container step 2024-11-16 23:41:45 -05:00
.github/workflows Add Update container step 2024-11-16 23:41:45 -05:00
assets Decluttered and splintered build scripts, some organization and readmes 2023-12-23 23:10:55 -05:00
dist Validate version string and clean up of subshell cmd sequences 2024-10-31 16:12:47 -04:00
docs Update doucmentation to reflect e4b8a85ccd 2024-09-14 21:13:37 -04:00
pacwrap Deserialize 'ro' and 'rw' strs into Permission enum 2024-11-16 23:48:03 -05:00
pacwrap-agent Tidy up manifests and inclusion of workspace dependencies 2024-10-31 16:22:08 -04:00
pacwrap-core Deserialize 'ro' and 'rw' strs into Permission enum 2024-11-16 23:48:03 -05:00
.gitignore Inclusion of pacwrap-key, some container schema fixes 2024-02-16 18:17:35 -05:00
.rustfmt.toml Structural simplification, rustfmt configuration applied, and snake_case 2024-01-14 20:51:57 -05:00
Cargo.lock Release 0.8.7 2024-11-08 18:53:48 -05:00
Cargo.toml Release 0.8.7 2024-11-08 18:53:48 -05:00
LICENSE LICENSE file 2023-10-29 15:34:12 -04:00
README.md Revert README.md 2024-10-30 23:55:52 -04:00
SECURITY.md Amended security policy 2024-04-05 17:49:00 -04:00

pacwrap Build Workflow

pacwrappacwrap-gitLicenseMSRV

A package management front-end which utilises libalpm to facilitate the creation of unprivileged, userspace containers with parallelised, filesystem-agnostic deduplication. These containers are constructed via bubblewrap to execute package transactions and launch applications.

This application is designed to allow for the creation and execution of secure, replicable containerised environments for general-purpose use. CLI and GUI applications are all supported*. Once a container environment is configured, it can be re-established or replicated on any system.

Goal of this project is to provide a distribution-backed alternative to flatpak with easily configurable security parameters.

* Some CLI-based applications, such as ncspot, require disabling termios isolation. This could allow an attacker to overtake the terminal and thus breakout of the container.

Example usage

To create a base container, execute the following command:

$ pacwrap -Syucb --target=base

Then to launch a shell inside of this container to configure it:

$ pacwrap -Es base

And finally, to install neovim inside of a fresh, aggregated container called editor:

$ pacwrap -Syucat editor --dep=base neovim

To update these containers just created in aggregate:

$ pacwrap -Syu

More advanced examples along with further documentation of configuration can be found further elaborated upon here.

Features

Since this project is a work in progress, not everything is yet completed. Please refer to the matrix below for further detail.

If a feature you see here is not completed, feel free to submit a PR; or submit an issue regarding a feature not listed herein for triage.

Feature Description Status
Aggregate Transactions Aggregate package transactions across containers
Transaction Agent Transact within a sandboxed runtime environment
Transaction CLI Functional
Global Configuration Functional
Package Dependency Resolution Utilizes a recursive depth-first search algorithm; resilient to cycling
Foreign Database Resolution Populates foreign package database in aggregate containers
Foreign Database Resolution (Lazy) Not yet implemented
Conflict Resolution Not yet implemented
Package Installation Functional
Package Removal Functional
Desktop Entry Creation Functional
Container Execution Functional
Launch within existing namespace Not yet implemented
Container Configuration Functional
Container Creation Functional
Container Composition Functional
Container Runtime Embedded runtime environment
Container Schema Container filesystem schema with version tracking
Filesystem Deduplication Retains filesystem state across containers with hardlinks
Seccomp Filters Application of seccomp filters to instances via libseccomp bindings
Dbus Isolation Functional - provided by xdg-dbus-proxy
Networking Isolation Not yet implemented
Port to Rust Completed
Config CLI (user friendly) Not yet implemented
Process API Container process enumeration
Process CLI Functional
Utility CLI Functional
Localization Not yet implemented

Manual

An online version of the user manual is viewable here.

Build requirements

A minimum version of Rust 1.72 is required to build with the following libraries fulfilled by your distribution:

libalpm=15, libseccomp, libzstd

Packaging requirements

The following Arch Linux packages (or your distribution's equivalent) are required for build-time artefacts:

bash, busybox, coreutils, fakeroot, fakechroot

Distribution support

Although this project aims to be distribution agnostic, at present only Arch-based distributions are supported. This project does aim, however, to be distribution agnostic, so in future it should be possible to support other distributions.