podenv: a container wrapper

Note that this is a work in progress, please get in touch if you are interested.

Podenv provides a declarative interface to manage containerized applications. Using rootless containers, podenv let you run applications seamlessly.

Overview and scope

The goal of podenv is to implement a modern application launcher:

• Highlevel capability system
• Multiple runtimes
• VPN network namespace
• Functional configuration
• Simple to use

Podenv differs from toolbx or flatpak:

• Isolation by default: network or home directory access need to be explicitely enabled.
• Unopinionated runtime: applications are provided by distro packages or Containerfile.
• High level command line interface.

Features

<a name="capabilities"></a>Capabilities

Share resources with simple toggles:

• --wayland graphical display.
• --pipewire access audio and video streams.
• --dbus share the dbus session.
• See the full list in this configuration schema: Capabilities.Type

Mount directories with smart volumes:

• --volume ~ share the home directory.
• --volume web:~ use a volume named web for the container home.
• --hostfile ./document.pdf share a single file.

<a name="runtimes"></a>Container Runtimes

Podenv works with multiple container runtimes:

• Podman for image and Containerfile.
• Bubblewrap for local rootfs and Nix Flakes.

The runtime integration is decoupled from the application description so that more options can be added in the future.

<a name="namespaces"></a>Namespace

Applications can share resources using the --namespace NAME option. For example, a browser application can be attached to the network of a VPN application. Checkout the Configure a VPN howto.

<a name="namespaces"></a>Configuration

Applications are user-defined with functionnal and re-usable expressions:

Firefox with a fedora container

(env:PODENV).Application::{
, name = "firefox"
, description = Some "Mozilla Firefox"
, runtime = (env:PODENV).Hub.fedora.useGraphic [ "firefox" ]
, command = [ "firefox", "--no-remote" ]
, capabilities = (env:PODENV).Capabilities::{ wayland = True, network = True }
}

The fedora useGraphic function defines a custom Containerfile:

\(pkgs : List Text) ->
(env:PODENV).ContainerBuild::{
, containerfile =
    ''
    FROM fedora:latest
    RUN dnf install -y mesa-dri-drivers pipewire-libs
    RUN dnf update -y
    RUN dnf install -y ${concatSep " " pkgs}
    ''
, image_home = Some "/home/fedora"
, image_update = Some "dnf update -y"
}

The graphic packages layer is shared by the other apps.

Nix Flakes

Podenv support the Nix installables syntax:

(env:PODENV).Application::{
, name = "polyglot"
, description = Some "Tool to count lines of source code."
, runtime = (env:PODENV).Nix "github:podenv/polyglot.nix"
, capabilities = (env:PODENV).Capabilities::{ cwd = True }
}

Hub

By default, podenv uses the hub collection. Run podenv --list to see the available applications.

<a name="usages"></a>Usage

Podenv provides a simple command line: podenv [--caps] application-name [args]. Checkout the tutorials for examples.

Documentation

Podenv documentation is organized into the following four sections:

Tutorials

These guides help you get your hands dirty with working examples:

• Install and use podenv
• Use an application
• Create an application
• Howto use Nix
• Work with rawhide

Howtos

These cookbooks teach you how to solve specific tasks:

• Configure a VPN
• Setup a custom image
• Contribute to podenv

Discussions

These posts explain the context and motivation behind this tool:

• Declarative containers
• Using dhall for configuration
• Roadmap

References

These comprehensive resources cover details that other texts will gloss over:

• Command line
• Configuration