Hello Thorsten, Regarding the discussion about container isolation, I wanted to point you to an alternative to Docker called "Podman" which is designed with a strong focus on rootless containers and enhanced isolation.
You might find the following resource helpful: https://www.redhat.com/en/blog/rootless-containers-podman. It provides an overview of Podman and its capabilities for running containers without elevated privileges, offering more robust isolation options compared to `--privileged` Docker runs. Note that podman is packaged and reasonably uptodate in Debian trixie. I hope this information is useful for your testing needs. Best regards, Reinhard On Sat, Aug 23, 2025 at 2:03 PM Thorsten Glaser <[email protected]> wrote: > Hello Tianon, > > >I'd describe the "--privileged" flag you're using in this context is > >"please, Docker, remove ALL security/isolation" > > this is certainly NOT something that comes across. I got the impression > that it merely allows some more things *inside* the chroot. > > >You very, very certainly want a more specific set of "--cap-add" and > > Yes, probably, but it doesn’t make it easy for me to know how/which. > > >"--device" flags if you want even a semblance of security in your > >deployment. > > I don’t *have* a “deployment”. I need to run some commands inside > some random container, that’s all. > > Thanks, > //mirabilos > -- > 15:41⎜<Lo-lan-do:#fusionforge> Somebody write a testsuite for helloworld > :-) > > -- regards, Reinhard
