A package manager which facilitates Arch-based bubblewrap containers.
Find a file
2024-02-23 01:49:28 -05:00
assets Decluttered and splintered build scripts, some organization and readmes 2023-12-23 23:10:55 -05:00
bin Some errata fixed, typos, and path updated in bin/pacwrap-common 2024-02-12 23:26:58 -05:00
dist Switch git log timestamp back to commit date from author date 2024-02-18 03:22:37 -05:00
docs Updated to correspond with changes made with commit 2a48da2773 2024-02-18 03:36:25 -05:00
pacwrap Switch git log timestamp back to commit date from author date 2024-02-18 03:22:37 -05:00
pacwrap-agent Release 0.7.2 -- Bug fix release 2024-02-13 16:11:23 -05:00
pacwrap-core Filesystem state files are now compressed with zstandard compression 2024-02-23 01:41:49 -05:00
.gitignore Inclusion of pacwrap-key, some container schema fixes 2024-02-16 18:17:35 -05:00
.rustfmt.toml Structural simplification, rustfmt configuration applied, and snake_case 2024-01-14 20:51:57 -05:00
Cargo.lock Update to Cargo.lock 2024-02-23 01:49:28 -05:00
Cargo.toml Initial commit workspace Cargo.toml 2023-11-16 23:36:36 -05:00
LICENSE LICENSE file 2023-10-29 15:34:12 -04:00
README.md Some errata fixed, typos, and path updated in bin/pacwrap-common 2024-02-12 23:26:58 -05:00
SECURITY.md Changes to version metadata acquisition, manual updates, and SECURITY.md 2024-02-17 04:26:41 -05:00

pacwrap

A package management front-end which utilises libalpm to facilitate the creation of unprivileged, userspace containers with parallelised, filesystem-agnostic deduplication. These containers are constructed via bubblewrap to execute package transactions and launch applications.

This application is designed to allow for the creation and execution of secure, replicable containerised environments for general-purpose use. CLI and GUI applications are all supported*. Once a container environment is configured, it can be re-established or replicated on any system.

Goal of this project is to provide a distribution-backed alternative to flatpak with easily configurable security parameters.

* Some CLI-based applications, such as ncspot, require disabling termios isolation. This could allow an attacker to overtake the terminal and thus breakout of the container.

Example usage

To create a base container, execute the following command:

$ pacwrap -Syucb --target=base

Then to launch a shell inside of this container to configure it:

$ pacwrap -Es base

And finally, to install neovim inside of a fresh, aggregated container called editor:

$ pacwrap -Syucat editor --dep=base neovim

More advanced examples along with further documentation of configuration can be found further elaborated upon here.

Features

Since this project is a work in progress, not everything is yet completed. Please refer to the matrix below for further detail.

If a feature you see here is not completed, feel free to submit a PR; or submit an issue regarding a feature not listed herein for triage.

Feature Description Status
Aggregate Transactions Aggregate package transactions across containers
Transaction Agent Transact within a sandboxed runtime environment
Transaction CLI Functional
Global Configuration Functional
Dependency Resolution Functional, but too liberal to compensate for a lack of conflict resolution
Foreign Database Resolution Populates foreign package database in aggregate containers
Foreign Database Resolution (Lazy) Not yet implemented
Conflict Resolution Not yet implemented
Package Installation Functional
Package Removal Functional
Desktop Entry Creation pacwrap-utils at present provides this via pacwrap -Ud
Container Execution Functional
Launch within existing namespace Not yet implemented
Container Configuration Functional
Container Creation Functional
Container Runtime Embedded runtime environment
Container Schema Container filesystem schema with version tracking
Filesystem Deduplication Retains filesystem state across containers with hardlinks
Seccomp Filters Application of seccomp filters to instances via libseccomp bindings
Dbus Isolation Functional - provided by xdg-dbus-proxy
Networking Isolation Not yet implemented
Port to Rust Script: pacwrap-utils
Configuration CLI (user friendly) Not yet implemented
Process API Container process enumeration
Process CLI Functional
Utility CLI (native) Not yet implemented
Localization Not yet implemented

Manual

An online version of the user manual is viewable here.

Build requirements

A minimum version of Rust 1.72 is required to build with the following libraries fulfilled by your distribution:

libalpm, libseccomp, libzstd

Packaging requirements

The following Arch Linux packages (or your distribution's equivalent) are required for build-time artefacts:

bash, busybox, coreutils, fakeroot, fakechroot

Distribution support

Although this project aims to be distribution agnostic, at present only Arch-based distributions are supported. This project does aim, however, to be distribution agnostic, so in future it should be possible to support other distributions.