toolbox icon indicating copy to clipboard operation
toolbox copied to clipboard
verified publisher icon containers

Isolate $HOME directory via snapshot and overlay

Open buzmeg opened this issue 1 year ago • 1 comments

Is your feature request related to a problem? Please describe. Lots of people are complaining about not being able to isolate $HOME as effectively as the operating system itself.

See: #183 #348 #1470

I'm no different. Overriding $HOME and using aliases eases some of the pain, but they're just papering over the underlying problem that people want some level of immutability around their $HOME directory.

Describe the solution you'd like What I would like to be able to do is:

  1. Snapshot $HOME upon creation of the toolbox
  2. All changes to $HOME should either be to that snapshot or (preferably) a toolbox specific overlay on top of that snapshot.

This consolidates the use cases that I can see:

  1. Existing standard -- $HOME shared between host and toolbox via underlying filesystem
  2. Existing overridden -- $HOME gets set by host and carried into toolbox via underlying filesystem
  3. Blank $HOME to same directory name as host--toolbox is accessing an overlay with no underlying snapshot
  4. Populated $HOME to same directory name as host--toolbox is accessing an overlay with a snapshot of host $HOME

Note that an overlay should allow other cases as well: 5) Blank $HOME to overridden directory name--toolbox is still just accessing an overlay with no underlying snapshot 6) Populated $HOME to overridden directory name as host--toolbox is accessing an overlay with a snapshot of overridden $HOME 7) Purely immutable or resettable $HOME--snapshot access only

Additional context Another advantage would be that the host can copy files into the toolbox by copying them to the toolbox overlay. This would make setting up a toolbox extremely repeatable (especially if the initial snapshot was blank).

Thanks.

buzmeg avatar Jun 12 '24 22:06 buzmeg

Just to add another point to it. Containers are great for creating isolated dev environments, for messing with code, where a rogue script could mess with the rest of the system. Or a rogue AI tool, which is getting more popular with all those agentic workflow. Exposing $HOME to all that stuff is risky (I don't want to loose all my $HOME because of a failed AI guardrail).

Adding $HOME isolation to Toolbox will make it better suitable for dev workflows.

elgris avatar Jan 06 '26 17:01 elgris