Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
distrobox
Use any linux distribution inside your terminal. Enable both backward and forward compatibility with software and freedom to use whatever distribution you’re more comfortable with. Mirror available at: https://gitlab.com/89luca89/distrobox
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
I would also recommend looking into NixOS reproducible builds, which allows declaratively specifying the entire system configuration and precisely defining which packages are installed, their versions, and dependencies. The OS remains immutable and consistent. A quite powerful tool for creating a secure and minimalistic workstation environment.
https://nixos.org/
https://blog.jessfraz.com/post/docker-containers-on-the-desk... is the one I remember, a bit old but still useful to see how she does it.
Seems super painful and indirected for a nebulous gain to me, but find your joy however you want I guess
I have written dew (https://github.com/efrecon/dew) for more or less the same purpose. I hardly keep any binary (and dependency) in my installation, they are all inside containers that I can easily dispose of at any time. The default in dew is to run them as your user. At the command prompt, instead of running, for example, kubectl xxx, I run dew kubectl xxx. It's a bit slower but provides an increased level of security.
No, I don't think you're missing anything, other than you'd only mount the directories you want the tool / development environment to have access to. Take for instance the `npm` command [1], it mounts `$PWD` so if you install a compromised package then it can go through the folder you're in, but it can't then go up directories and sniff around your home directory. It would also only have access to the environment variables that have been configured for the container, which in this case would also include AWS credentials.
1 - https://github.com/yapret/toolship/blob/main/src/node/functi...
Firejail can also be a useful option, though no good if you're on Mac https://firejail.wordpress.com/
Uses the same Linux primitives as docker etc, but can be a bit more ergonomic for this use case
I'm running silverblue but running my containers through distrobox. Both toolbox and distrobox are running on podman under the hood, so it's the same technology as far as I understand. However, distrobox has some interesting features relevant to this idea of development isolation. One is that it has an assemble feature[1] built-in. Where you can feed it a recipe file and it will build or rebuild containers accordingly. The other is that it allows setting a custom home directory for the container, among other host/container isolating options[2].
Perfomance wise my containers take a couple MiB of rams and no perceptible CPU usage when not in use. At least as far as I can tell.
[1] https://github.com/89luca89/distrobox/blob/main/docs/usage/d...
[2] https://github.com/89luca89/distrobox/blob/main/docs/usage/d...