Wolf480pl
@quad @lanodan
huh, TIL bwrap exists.
Is it basically like `unshare` that works without having root?
So you'd first switch to service-specific user, then run bwrap?
How would you start the service on boot? Have init switch user and call bwrap? Or the old ugly @reboot in user's crontab?
Haelwenn /элвэн/ :triskell:
@wolf480pl @quad Yeah either switch to the service user in advance or use the --uid option.
Do would you start the service on boot?
Just use the normal services files of your host, maybe with a wrapping script if you hate long commands or it's something like systemd where variables/functions inside the command likely aren't a thing.
Haelwenn /элвэн/ :triskell:
@wolf480pl @quad I've never used systemd other than fixing broken debian installs, so I can't say but I don't thing it comes any close to bwrap.
Like can you isolate /dev, /sys, /proc with systemd? Or get a tmpfs (which is specially neat for throwaway containers).
Wolf480pl
so it can do all the namespace-y privilege-dropy bind-mounty stuff, but it doesn't do anything related to images, you just use existing directories in the filesystem?
Assuming I'm ok with systemd, is there any reason to use bwrap over systemd's Protect* / RootDirectory / BindPath / etc?
rakoo
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.