Comment by embedding-shape

9 hours ago

Most of those things are what happens by default. Sure, be careful, but by default it's secure enough to prevent most potential issues. No need to lock down file access for example, by default it only has access to files inside the container, and of course by default containers don't have access to start other containers, and so on.

Good word of caution though, make sure you actually isolate when you set out to isolate something :)

4 comments

embedding-shape

chrisweekly 6 hours ago

I've just discovered and started using smolmachines^1 which actually have the requisite isolation.

1. https://smolmachines.com

embedding-shape 6 hours ago
As mentioned, "podman/docker run -it $my-image codex" also actually has the requisite isolation by default, no need for special software. Biggest risk is accidental deletion of stuff, easily solved without running an entire VM, which "smol" machines seems to be. No doubt VMs have their uses too, but for simple isolation like this I personally rather use already existing tooling.
- chrisweekly 3 hours ago
  
  Ok, YMMV, but a smolvm provides macOS-native, per-workload isolation -- vs trad container depending on a daemon and relying on namespaces (w/ a shared kernel). Easy "packing" into single-file executables, and a nice SDK, make it ~ideal for my needs; great balance of security:convenience.
  https://smolmachines.com/#comparison
  
  1 reply →