Xavier
9b495390d2
for declared modules within tag vars - For the sake of coherency, there are now four types of containers: Symbolic, Base, Slice, and Aggregate. These names better reflect the associated container types. - Global configuration template is now written to disk prior to instantiation - Inclusion of .rustfmt.toml with formatting applied to source files - Breaking format change: SCREAMING_CASE has been replaced with snake_case for tag variables - Simplified data structure in cache module - InstanceCache type within the cache module replaces 'registered_base', 'registered_dep', and 'registered_root', with 'filter'. - Cleaned up argument parsing match statements in the front-end modules. - Specifying dependencies with a comma deliniation is now supported - Manual updated to reflect argument changes. - query module updated to utilise internal APIs - Some minor improvements to error handling. - Removed redundant calls to --clear-env with bubblewrap. - Scripting no longer outputs ANSI charcodes to unsupported terminals |
||
|---|---|---|
| assets | ||
| bin | ||
| dist | ||
| docs | ||
| pacwrap | ||
| pacwrap-agent | ||
| pacwrap-core | ||
| .gitignore | ||
| .rustfmt.toml | ||
| Cargo.lock | ||
| Cargo.toml | ||
| LICENSE | ||
| makefile | ||
| README.md | ||
pacwrap
A package management front-end which utilises libalpm to facilitate the creation of unprivileged, userspace containers with parallelised, filesystem-agnostic deduplication. Sandboxing of unprivileged namespace containers is provided via bubblewrap to execute package transactions and launch applications inside of these containers.
This application is designed to allow for the creation and execution of secure, replicable containerised environments for general-purpose use. CLI and GUI applications are all supported*. Once a container environment is configured, it can be re-established or replicated on any system.
Goal of this project is to provide a distribution-backed alternative to flatpak with easily configurable security parameters.
* Some CLI-based applications, such as ncspot, require disabling termios isolation. This could allow an attacker to overtake the terminal and thus breakout of the container.
Example usage
To create a container, execute the following command:
$ pacwrap -Syucb --target=base
Then to launch a shell inside of this container to configure it:
$ pacwrap -Es base
And then finally, to install neovim inside of a fresh, replicable, root container:
$ pacwrap -Syucr --target=neovim neovim --target=base
More advanced examples along with further documentation of configuration can be found further elaborated upon here.
Manual
An online version of the user manual is viewable here.
Build requirements
A minimum version of Rust 1.72, with base-devel and repose packages from Arch Linux's repositories.
Distribution support
Currently only Arch Linux is supported in containers as package management is faciliated by libalpm. However, this package should be distribution agnostic, so it should be possible to use on non-Arch-based distributions.