~amk/bwrap-openrc

bubblewrap your openrc services
supervise processes
ro-bind /etc/ssl by default

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~amk/bwrap-openrc
read/write
git@git.sr.ht:~amk/bwrap-openrc

You can also use your local clone with git send-email.

#Bubblewrapped OpenRC scripts

This is a script to semi-easily bubblewrap your openrc scripts.

This is not very tested yet and I am quite bad at writing shell scripts so its probably not the best to use :)

#Bubblewrap a script

To create a bubblewrapped script symlink the bwrap service to something like bwrap.$servicename

cd /etc/init.d
ln -s bwrap bwrap.servicename

Then copy the bwrap config file in /etc/conf.d/bwrap to /etc/conf.d/bwrap.servicename and configure it.

#Example configuration for the Gonic music server

# user/group to run the service as
user=gonic
group=gonic
# the command that should be wrapped
wrapped_command="/usr/bin/gonic"
# the arguments passed to the wrapped command
wrapped_args="-music-path=/media/music -podcast-path=/media/podcasts -db-path=/var/lib/gonic/gonic.db -cache-path=/var/cache/gonic/"

# mounts that will be read only for the service
read_only_mounts="
/media/music
/media/podcasts
"

# writable mounts for the service
mounts="
/var/lib/gonic
/var/cache/gonic
"
# paths to check exist before starting the service in the format, passed to `checkpath`
# MODE PATH FILE_TYPE (f for file, d for directory)
checked_paths="
0755 /var/lib/gonic d
0755 /var/cache/gonic d
"

#Attributions

Inspiration from qemu-openrc: https://github.com/jirutka/qemu-openrc/