Why not resolve everything with UNIX sockets instead, that way you can have them named and scoped instead, hiding behind port 443, since it's mosly HTTP anyway.

Does this work in the browser? How will paths to different resources used by the web app work?

It depends on how you register things.

* Given that you can easily start up your own CA in a test bed, just use different domain names.

* Or use IP addresses directly, given that IPv6 i pretty abundant it's easy to just listen on many addresses at the same time. A nice thing is to just put the port number is the last octets: fd01::9000, fd01::0003:5565. If it's HTTPS you always use port 443, if it's another protocol, use another port. With iptables/nft you can translate all port 443 traffic towards a /96 to a single IP.

* Firefox does not seem to understand unix domain sockets, https://news.ycombinator.com/item?id=27941552. I'm assuming that you have a gateway in front that handles that aspect.

* Proxies in Firefox seems to understand that though, which means you can have a proxy that translate to unix sockets locally. That means you can basically run it to a namespaced application, using only http://<service>.localhost.

works with curl, maybe there is a case to either build a proxy for UDS and expose them to a browser, or open a request ticket to browser maintainers to support UDS

What are they up to now, I wonder.

So now you can send a malware markdown to just agents.

nitpick, it should be `touch a c & mv a b & mv c d` as `&;` returns `bash: syntax error near unexpected token `;'`. I always find this oddly weird, but that would not be the first pattern in BASH that is.

`inotifywait` actually sees them in order, but nothing ensure that it's that way.

  $ inotifywait -m /tmp
  /tmp/ MOVED_FROM a
  /tmp/ MOVED_TO b
  /tmp/ MOVED_FROM c
  /tmp/ MOVED_TO d

`stat` tells us that the timestamps are equal as well.

  $ stat b d | grep '^Change'
  Change: 2026-02-06 12:22:55.394932841 +0100
  Change: 2026-02-06 12:22:55.394932841 +0100

However, speeding things up changes it a bit.

Given

  $ (
    set -eo pipefail
    for i in {1..10000}
    do
      printf '%d ' "$i"
      touch a c
      mv a b &
      mv c d &
      wait
      rm b d
    done
  )
  1 2 3 4 5 6 .....

And with `inotifywait` I saw this when running it for a while.

  $ inotifywait -m -e MOVED_FROM,MOVED_TO /tmp > /tmp/output
  cat /tmp/output | xargs -l4 | sort | uniq -c
  9104 /tmp/ MOVED_FROM a /tmp/ MOVED_TO b /tmp/ MOVED_FROM c /tmp/ MOVED_TO d
  896 /tmp/ MOVED_FROM c /tmp/ MOVED_TO d /tmp/ MOVED_FROM a /tmp/ MOVED_TO b

This did not age well!

I am trying to build a local setup where I spawn dockers (fetched via skopeo) as systemd-nspawn machines in userland (rootless), with network managed by a service that uses netkit devices to setup network in their empty network namespaces. I am looking at using Sommelier to manage wayland.

The end goal is to have a laptop with an easy way to build lab environments which is secure and rootless.

Only give positive feedback when they are doing the thing you want them too. Absence of positive feedback is as effective as negative feedback, with the positive effect of extracting the change you want instead of placing the change upon the person.

That sound a lot like manipulation. Like you train dogs.

Is it though? I would imagine the person wanting to change instead being forced. Where would you draw the line?

I think that pledge[0] offers that functionality

[0] https://github.com/jart/pledge

A nice thing I found is that if you do (which I see they did not in the examples)

  # ProtectSystem=

you can do

  TemporaryFileSystem=/:ro
  BindReadOnly=/usr/bin/binary /lib /lib64 /usr/lib usr/lib64 <paths you want to read>

And essentially just including the binary and the path you want available. ProtectSystem= is currently not compatible with this behavior.

EDIT: More info here: https://github.com/systemd/systemd/issues/33688