https://github.com/mody5bundle/capps Skip to content Sign up * Product + Features + Mobile + Actions + Codespaces + Packages + Security + Code review + Issues + Integrations + GitHub Sponsors + Customer stories * Team * Enterprise * Explore + Explore GitHub + Learn and contribute + Topics + Collections + Trending + Learning Lab + Open source guides + Connect with others + The ReadME Project + Events + Community forum + GitHub Education + GitHub Stars program * Marketplace * Pricing + Plans + Compare plans + Contact Sales + Education [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this user All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} mody5bundle / capps Public * Notifications * Fork 2 * Star 62 GPL-3.0 License 62 stars 2 forks Star Notifications * Code * Issues 1 * Pull requests 0 * Actions * Projects 0 * Wiki * Security * Insights More * Code * Issues * Pull requests * Actions * Projects * Wiki * Security * Insights This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags 1 branch 0 tags Code Latest commit @mody5bundle mody5bundle added more examples ... aec6a11 Mar 26, 2022 added more examples aec6a11 Git stats * 5 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time container Initial commit Mar 26, 2022 LICENSE Initial commit Mar 26, 2022 README.md added more examples Mar 26, 2022 capps.py Initial commit Mar 26, 2022 capps.te Initial commit Mar 26, 2022 config.yml Initial commit Mar 26, 2022 template.desktop.j2 Initial commit Mar 26, 2022 View code Why? Usage Example container that gets Created Example config file for firefox list images get stats on started container Selinux: README.md Why? * restrict scope of file system access * run any application without root privileges * creates usable "Desktop applications" to integrate into your normal workflow * cut network access for applications that work with confidential stuff to prevent accidental leakage * set MEM and CPU boundaries for your applications (disclaimer: cpu limits not implemented yet) * easy rollback with version pinning * works on wayland Usage capps.py [-h] [-a app1 app2 ... [app1 app2 ... ...]] [-c /path/to/config.yaml] [-b] [-r] [-i] [-v] [-s] [-d] [-l] Start podman container apps. options: -h, --help show this help message and exit -a app1 app2 ... [app1 app2 ... ...], --application-list app1 app2 ... [app1 app2 ... ...] List of applications to run as defined in config file -c /path/to/config.yaml, --config /path/to/config.yaml Path to config file (defaults to config.yaml) -b, --build (re)build list of provided apps -r, --run run containers of all provided apps (default) -i, --install install as desktop application -v, --verbose enable verbose log output -s, --stats enable stats output -d, --debug enable debug log output -l, --list print available container Example container that gets Created podman run --rm -d --hostname firefox \ --name firefox-$RANDOM \ --cap-drop=ALL \ --read-only=true \ --read-only-tmpfs=false \ --systemd=false \ --userns=keep-id \ --security-opt=no-new-privileges \ --memory=2048mb \ --cap-add cap_sys_chroot \ --volume $HOME/Downloads/:/home/firefox/Downloads:rw \ --volume /run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro \ --volume $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro \ localhost/firefox Example config file for firefox default_permissions: &default_permissions cap-drop: ALL read-only: true read-only-tmpfs: true systemd: false userns: keep-id security-opt: "no-new-privileges" volumes: - &sound "/run/user/$UID/pulse/native:/run/user/$UID/pulse/native:ro" - &wayland "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:ro" - &x11 /tmp/.X11-unix:/tmp/.X11-unix:ro container: firefox: versioncmd: "firefox --version | awk \"'\"{print \\$3}\"'\"" repo: "localhost" file: "firefox.dockerfile" path: "./container/firefox/" icon: "firefox.png" permissions: memory: 2048mb <<: *default_permissions read-only-tmpfs: false cap-add: - "cap_sys_chroot" volume: - "$HOME/Downloads/:/home/firefox/Downloads:rw" - *sound - *wayland list images ./capps.py -l Available Containers in config: firefox: Mem: 2048mb, Capabilities: ['cap_sys_chroot'], cap-drop: ALL Available images on host for firefox: ['localhost/firefox:latest', 'localhost/firefox:98.0'] Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window'] Size: 1178 MB 3391 Minutes old. ['localhost/firefox:97.0.1'] Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window'] Size: 1182 MB 26452 Minutes old. ['localhost/firefox:96.0'] Entrypoint: ['/bin/sh', '-c', '/usr/bin/firefox --private --private-window'] Size: 1156 MB 96024 Minutes old. get stats on started container ./capps.py -a firefox -s NAME MEM CPU READ/WRITE PIDS firefox-18685: 232.1MB / 2.147GB / 10.81% 3.17% -- / -- 57 firefox-18685: 497.1MB / 2.147GB / 23.15% 2.24% 0B / 2.049MB 226 Selinux: cat capps.te checkmodule -M -m -o capps.mod capps.te semodule_package -o capps.pp -m capps.mod semodule -i capps.pp rm -rf capps.{pp,mod} About No description, website, or topics provided. Resources Readme License GPL-3.0 License Stars 62 stars Watchers 1 watching Forks 2 forks Releases No releases published Packages 0 No packages published Languages * Python 45.4% * Dockerfile 43.3% * JavaScript 10.6% * Jinja 0.7% * (c) 2022 GitHub, Inc. * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.