Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
samlinnfer 7 hours ago

Here's the set up I use on Linux:

The idea is to completely sandbox the program, and allow only access to specific bind mounted folders. But we also want to have to the frills of using GUI programs, audio, and network access. runc (https://github.com/opencontainers/runc) allows us to do exactly this.

My config sets up a container with folders bind mounted from the host. The only difficult part is setting up a transparent network proxy so that all the programs that need internet just work.

Container has a process namespace, network namespace, etc and has no access to host except through the bind mounted folders. Network is provided via a domain socket inside a bind mounted folder. GUI programs work by passing through a Wayland socket in a folder and setting environmental variables.

The set up looks like this

    * config.json - runc config
    * run.sh - runs runc and the proxy server
    * rootfs/ - runc rootfs (created by exporting a docker container) `mkdir rootfs && docker export $(docker create archlinux:multilib-devel) | tar -C rootfs -xvf -`
    * net/ - folder that is bind mounted into the container for networking
Inside the container (inside rootfs/root):

    * net-conf.sh - transparent proxy setup
    * nft.conf - transparent proxy nft config
    * start.sh - run as a user account
Clone-able repo with the files: https://github.com/dogestreet/dev-container
ekidd 6 hours ago | parent | next [-]

I have a version of this without the GUI, but with shared mounts and user ID mapping. It uses systemd-nspawn, and it's great.

In retrospect, agent permission models are unbelievably silly. Just give the poor agents their own user accounts, credentials, and branch protection, like you would for a short-term consultant.

samlinnfer 6 hours ago | parent [-]

The other reason to sandbox is to reduce damage if another NPM supply chain attack drops. User accounts should solve the problem, but they are just too coarse grained and fiddly especially when you have path hierarchies. I'd hate to have another dependency on systemd, hence runc only.

brunoborges 7 hours ago | parent | prev | next [-]

Any particular reason why you shared these files in a gist rather a repo?

samlinnfer 7 hours ago | parent [-]

Yeah you're right, a repo is better: https://github.com/dogestreet/dev-container

I've made it clonable and should be straightforward to run now.

idorosen 7 hours ago | parent | prev [-]

try firejail insread

samlinnfer 6 hours ago | parent [-]

Not even close to the same thing, with this setup you can install dev tools, databases, etc and run inside the container.

It's a full development environment in a folder.