5e92cb50239222b

> VM to only run a browser in there, to keep the memory under control

For other Linux users out there — a VM is not needed for this, use a cgroup with memory limits. It's very easy to do with systemd, but can be done without it:

  $ systemd-run --user --pty --property MemoryHigh=2G firefox
The kernel will prevent Firefox from using more than 2 GiBs of RAM by forcing it into swap (including all child processes). To quote systemd.resource-control(5):

> Specify the throttling limit on memory usage of the executed processes in this unit. Memory usage may go above the limit if unavoidable, but the processes are heavily slowed down and memory is taken away aggressively in such cases. This is the main mechanism to control memory usage of a unit.

If you'd rather have it OOMed, use MemoryMax=2G.

It's actually very useful for torrent clients. If you seed terabytes of data (like I do), the client quickly forces out more useful data out of the page cache. Even if you have dozens of gigabytes of RAM, the machine can get pretty slow. This prevents the client from doing that.

There are lots of other interesting controllers that can put limits on disk and network I/O, CPU usage, etc.

Grimburger

> cgroup with memory limits. It's very easy to do with systemd, but can be done without it

I prefer lxd for gui programs personally, while probably a tad more effort initially setting up the x11 profile to get gpu acceleration, once that is done you can pop everything into its own linux container using that profile. From there you can control resource limits permanently.

Especially like it for intrusive apps such as discord, zoom, etc which are hard to escape from.

5e92cb50239222b
For GUI applications, firejail might be easier to use. It too isolates applications from your system, but comes with a bunch of pre-configured profiles for many popular applications (including proprietary ones), thus requiring zero configuration.

Some of its more interesting features (in addition to the obvious path/privilege restrictions):

- putting the application into a separate network namespace with its own firewall rules/network interfaces (for example, you can force Firefox to work through a VPN connection only, or block incoming connections with your main firewall rules and allow them for a single application)

- using a separate X server for each application (works pretty much transparently)

- setting resource limits (network bandwidth, memory, CPU, I/O; although not as flexible as systemd limits, they can be combined)

- running `sudo firecfg` once will create a bunch of symlinks for all applications installed on your system and supported by firejail. After that, those applications will run under a sandbox automatically. Or you can create them manually (I did it for the PDF reader and such).

https://github.com/netblue30/firejail/