| ▲ | jauntywundrkind 4 hours ago | |
Really well targeted! I'd been thinking of using toolbox or devcontainers going forward, but having to craft containers with all my stuff sounds so painful, feels like it would become another full-time job to make containers Bubblewrap & passing in a bunch of the current system sounds like a great compromise! I do wonder what isolation something like systemd-run can offer, if that is enough. Part #2 to me, I also want observability as to what the agent changed. That was one place where containers are such a clear & huge advantage! Having an overlay that contains the changes to the filesystem is so explicit. There's also works like agentfs, that offer a FUSE filesystem backed by Turso DB (sqlite compatible). | ||
| ▲ | dgl an hour ago | parent [-] | |
> Part #2 to me, I also want observability as to what the agent changed. You could potentially combine https://github.com/binpash/try with bubblewrap (I'm not sure how well they compose and as the docs say it isn't a full sandbox). The good (and bad because it's confusing and can lead to surprises if misconfigured) thing about Linux containers is all the pieces of containers can be used independently. The "try" tool lets you use the overlay part of containers on your host system, just like Bubblewrap lets you combine the namespacing parts of containers with your host system. | ||