How can I create a container with podman that runs graphical application in isolation from the file system?

Is there a way to create a container with podman that shares few resources with the host such as the network and display so that it can run graphical desktop applications? With toolbox this is possible, but too many resources are shared with the host (especially the filesystem). The user’s folder must not be touched by applications running in the container.

3 Likes

Sorry for the late reply.
I found an old remark in my note taking software (Rednote for the records :slight_smile:), dating back to when Toolbox did not yet exist.

podman run \
--net host -v /etc/localtime:/etc/localtime:ro \
-v /tmp/.X11-unix:/tmp/.X11-unix -e DISPLAY=:0 \
--security-opt label=type:container_runtime_t \
--name test -ti fedora \
/bin/bash

This snippet doesn’t take into account Wayland btw. However if I install xclock, it works.

5 Likes

Prior to podman, systemd-nspawn was used (although root) and building a container and binding a different /home was possible, can this be done with podman?

2 Likes

As far I know, a program under podman is executed as root within it’s own container without access to the outer filesystem. At container creation, you can map any folder to $HOME within the container using the “-v” option. Using rootless containers, the “root” user within the container is mapped to the user who started podman in the outside filesystem.

3 Likes

With this command you can run applications inside a container using Wayland session:

podman run -it --network host --env DISPLAY --security-opt label=type:container_runtime_t --name myContainer fedora

But now the problem is that if you want to use the application as a non superuser you should do some other steps. (I know there’s a command like podman unshare to modify the user namespace)
And also I’ve read inside the redhat website and the Linux manual that security-opt is used to define what type of policy (speaking about permissions) is to apply to your container. I need some time to investigate :grinning_face_with_smiling_eyes:

3 Likes

See also https://discussion.fedoraproject.org/t/how-to-run-a-gui-app-in-a-podman-container/72970 for how to use it as an ordinary user, and with X11. It should be easy enough to trim the X11 bits.

4 Likes

I want to thank you for all the answers you have given me.

I would like to explain why I raised this question of containers.
A user may need to use an application that may not be present either on flathub or on Fedora repositories. It is understood that in this case the application (coming from third parties) may not be safe and harm the system. So it might be reasonable to install and run an application in a (completely) isolated environment but sharing a minimum of hardware resources (keyboard, mouse, screen, audio, usb devices, and so on …).

So I came to a conclusion: use virtual machines. They are not the solution to everything but in these cases I think it is the simplest thing to do.

I got along very well with virt-manager, to install it open the terminal and type:
rpm-ostree install virt-manager
and restart the system

One last tip: if someone needs to pass even large files to and from the virtual machine, just use an external hard disk (or a fairly large device) and do the usb redirection. It is recommended that you avoid changing permissions with selinux for security reasons unless you know what you are doing.

Some advantages of virtual machines in pills:

  • completely isolated
  • they can be migrated from one computer to another (it’s a copy of a large file)
  • possibility to take snapshots
  • a virtual machine is a single file: if you delete it, there are no parts of it scattered here and there on the file system

thanks again and I hope this can be useful to everyone :wink: