top | item 45767792

(no title)

kernc | 4 months ago

> alias npm=...

I use sandbox-run: https://github.com/sandbox-utils/sandbox-run

The above simple alias may work for node/npm, but it doesn't generalize to many other programs available on the local system, with resources that would need to be mounted into the container ...

discuss

ashishb|4 months ago

> The above simple alias may work for node/npm, but it doesn't generalize for many other programs that are available on the local system, with resources that would somehow have to get mounted into the container ...

Thanks. You are right, running inside Docker won't always work for local commands. But I am not even using local commands.

Infact, I have removed `yarn`, `npm`, and several similar tools already from my machine.

It is best to run them inside Docker.

> I use sandbox-run: https://github.com/sandbox-utils/sandbox-run

How does this work if my local command is a Mac OS binary? How will it run inside Docker container?

fingerlocks|4 months ago

Or use ‘chroot’. Or run it as a restricted owner with ‘chown’. Your grandparents solutions to these problems still work.

roryirvine|4 months ago

That'll still allow access to env vars, and interact with other processes owned by the same user.

At the very least, you really need to add process isolation / namespacing as well - at which point it's going to be easier to just use the sandboxing / containerisation tool of your choice to manage it all for you.