#container #creation #deduplication #execution #bubblewrap #userspace #unprivileged

app pacwrap

Facilitates the creation, management, and execution of unprivileged Arch-based bubblewrap containers

4 releases

0.8.0 Mar 31, 2024
0.7.2 Feb 13, 2024
0.7.1 Feb 13, 2024
0.7.0 Feb 12, 2024

#140 in Unix APIs

Download history 6/week @ 2024-02-06 90/week @ 2024-02-13 161/week @ 2024-02-20 51/week @ 2024-02-27 146/week @ 2024-03-26 25/week @ 2024-04-02

171 downloads per month

GPL-3.0-only

450KB
10K SLoC

pacwrap

pacwrap pacwrap-git License MSRV

A package management front-end which utilises libalpm to facilitate the creation of unprivileged, userspace containers with parallelised, filesystem-agnostic deduplication. These containers are constructed via bubblewrap to execute package transactions and launch applications.

This application is designed to allow for the creation and execution of secure, replicable containerised environments for general-purpose use. CLI and GUI applications are all supported*. Once a container environment is configured, it can be re-established or replicated on any system.

Goal of this project is to provide a distribution-backed alternative to flatpak with easily configurable security parameters.

* Some CLI-based applications, such as ncspot, require disabling termios isolation. This could allow an attacker to overtake the terminal and thus breakout of the container.

Example usage

To create a base container, execute the following command:

$ pacwrap -Syucb --target=base

Then to launch a shell inside of this container to configure it:

$ pacwrap -Es base

And finally, to install neovim inside of a fresh, aggregated container called editor:

$ pacwrap -Syucat editor --dep=base neovim

To update these containers just created in aggregate:

$ pacwrap -Syu

More advanced examples along with further documentation of configuration can be found further elaborated upon here.

Features

Since this project is a work in progress, not everything is yet completed. Please refer to the matrix below for further detail.

If a feature you see here is not completed, feel free to submit a PR; or submit an issue regarding a feature not listed herein for triage.

Feature Description Status
Aggregate Transactions Aggregate package transactions across containers
Transaction Agent Transact within a sandboxed runtime environment
Transaction CLI Functional
Global Configuration Functional
Package Dependency Resolution Utilizes a recursive depth-first search algorithm; resilient to cycling
Foreign Database Resolution Populates foreign package database in aggregate containers
Foreign Database Resolution (Lazy) Not yet implemented
Conflict Resolution Not yet implemented
Package Installation Functional
Package Removal Functional
Desktop Entry Creation Functional
Container Execution Functional
Launch within existing namespace Not yet implemented
Container Configuration Functional
Container Creation Functional
Container Composition Functional
Container Runtime Embedded runtime environment
Container Schema Container filesystem schema with version tracking
Filesystem Deduplication Retains filesystem state across containers with hardlinks
Seccomp Filters Application of seccomp filters to instances via libseccomp bindings
Dbus Isolation Functional - provided by xdg-dbus-proxy
Networking Isolation Not yet implemented
Port to Rust Completed
Config CLI (user friendly) Not yet implemented
Process API Container process enumeration
Process CLI Functional
Utility CLI Functional
Localization Not yet implemented

Manual

An online version of the user manual is viewable here.

Build requirements

A minimum version of Rust 1.72 is required to build with the following libraries fulfilled by your distribution:

libalpm>=14, libseccomp, libzstd

Packaging requirements

The following Arch Linux packages (or your distribution's equivalent) are required for build-time artefacts:

bash, busybox, coreutils, fakeroot, fakechroot

Distribution support

Although this project aims to be distribution agnostic, at present only Arch-based distributions are supported. This project does aim, however, to be distribution agnostic, so in future it should be possible to support other distributions.

Dependencies

~15–28MB
~428K SLoC