[HN Gopher] Running GUI apps within Docker containers
___________________________________________________________________
Running GUI apps within Docker containers
Author : rl1987
Score : 274 points
Date : 2022-03-26 09:19 UTC (13 hours ago)
(HTM) web link (www.trickster.dev)
(TXT) w3m dump (www.trickster.dev)
| janjones wrote:
| This is also supported directly in VSCode Dev Containers by using
| just a feature switch[1]
|
| [1] https://github.com/microsoft/vscode-dev-
| containers/blob/main...
| RVuRnvbM2e wrote:
| This is what Flatpak (https://flatpak.org/) is designed for.. why
| would you use docker?
| sascha_sl wrote:
| Because Flatpak imposes some design choices that are... less
| than optimal for porting existing applications, and if you ask
| them to change maintainers will insist this is the way to go.
|
| They have told users that if they want, for instance, Jetbrains
| IDEs to work, they should simply get a Job at Jetbrains and
| convince them to rewrite their entire IDE to support the
| flatpak model.[1]
|
| This is the reason I avoid distros with Flathub enabled by
| default. Half the software on there is broken in some pretty
| subtantial way, and nobody at Flatpak or Flathub cares. They
| really need to realize they're not Apple, they simply can't
| tell everyone to do things their way and hope to build a
| working and reliable ecosystem.
|
| They have the equivalent to snap's classic confinement, but it
| needs to be explicitly enabled every time you launch an app.
|
| [1]: https://github.com/flathub/com.jetbrains.IntelliJ-IDEA-
| Commu...
| AnIdiotOnTheNet wrote:
| Seems like just allowing the user to specify 'unconfined' as
| an override. Then the user would just need to do that with
| flatseal. Alternatively, and with much more needless
| complication, some kind of fuse-mounted /bin directory that
| acts as a portal could be used. Point is there are solutions
| that don't require huge perversions of the Flatpak model and
| also don't require Jetbrains to rewrite everything.
|
| Personally I like that the Linux Desktop community is finally
| starting to wake up to the idea of universal application
| distribution that doesn't require armies of unpaid third
| party maintainers, and while Flatpak is definitely not
| perfect it is, in my opinion, a huge step forward in that
| regard[0].
|
| [0] Not that the idea is really that new, there have been
| many attempts at bringing sanity to Linux application
| distribution, many of them better (IMO), but they've just
| never really been embraced by the community the way Flatpak
| has.
| sascha_sl wrote:
| That's the problem, the flatpak developers outright refuse
| to compromise.
|
| The person I linked above is in fact a flatpak maintainer.
|
| Also, I hate they are shipping broken software. Almost
| nothing in that IDE works properly, yet Fedora now shows it
| by default when I search software.
|
| At least snaps work most of the time.
| jcastro wrote:
| IDEs usually expect/require access to all sorts of things
| on the host, things like vscode can be used to use remote
| container support on the host, etc. but it's still an
| area that needs improvement.
|
| Personally I just layer my IDEs with ostree as a
| compromise.
| throwaway82652 wrote:
| You're under the impression that they can compromise
| here, when this is false. That's a misreading of that
| comment. The "compromise" used by snap is to just not
| have sandboxing at all. Mounting /bin fundamentally
| breaks the sandboxing, it's never going to work. The only
| other option is to change the entire OS to support this
| (and maybe the kernel too), and that's going to break
| everything even more. You'll have the same problem
| attempting to do this in docker.
|
| The main mistake you're making is thinking that Flatpak
| imposed this design constraint, when really it's a
| fundamental property of the underlying OS, that
| sandboxing solutions are forced to work around. It's
| possible to fix this with a distribution built in a very
| specific way like NixOS where you can theoretically mount
| different systems together, but that comes with it own
| sets of problems and things that it breaks.
| sascha_sl wrote:
| If you can't make it work, don't ship it. Please. In this
| instance, not only the Terminal is broken, but also large
| parts of code analysis, task running, compiling,
| testing... essentially all but the editor. And this
| experience is essentially universal. The next app I
| installed had sync support that didn't work because the
| sync working directory was unwritable.
|
| It makes me want to rip out flatpak from every system I
| see.
| throwaway82652 wrote:
| I agree the quality of packages on flathub is pretty
| inconsistent. That part sucks. They're all made by third
| party packagers.
|
| You could make a curated repository but that would just
| be taking flathub and removing a lot of packages.
| moody5bundle wrote:
| I am actually running a few of my daily applications, such as
| firefox, vscode, or spotify inside a podman container (rootless
| makes me feel a little safer). I build a small python script
| around it, which creates a desktop icon, tags the current version
| (so you can rollback), and updates the images after x amount of
| time. I'll clean it up and put it on github if someone is
| interested :)
| ntietz wrote:
| Please do share! I would be interested in seeing it and doing
| something similar (and use podman for the same reason).
| moody5bundle wrote:
| here you go: https://github.com/mody5bundle/capps please feel
| free to open issues and pull requests :)
| moody5bundle wrote:
| I will! cleaning up now and going to publish it later on
| github. The main idea was a least privilege approach to
| running simple desktop applications independent from the host
| OS and being able to control filesystem/network access on a
| per app basis. (spotify on fedora without flatpak or rpm-
| fusion repo's, not even sudo needed to install)
| zozbot234 wrote:
| No real need for full Flatpak, Bubblewrap (bwrap) is
| intended to be a lightweight sandbox providing this out of
| the box, with Flatpak (and other stuff besides) building
| upon it. The Arch wiki has a nice introductory page:
| https://wiki.archlinux.org/title/Bubblewrap
| moody5bundle wrote:
| Oh didn't know about bwrap yet! If i understand the wiki
| page correctly, you still need to get those binaries to
| your pc. So thats why i went with plain and simple
| dockerfiles.
| Proven wrote:
| bogwog wrote:
| Isn't this what Flatpaks are for? Idk if they use podman, but
| they do use similar sandboxing features.
|
| Having a full blown container like this can be useful in some
| scenarios, but I think it's overkill for general purpose apps.
| [deleted]
| moody5bundle wrote:
| i think they use bwrap as mentioned in a comment below. my
| use case is to restrict network access for example. Or
| running multiple firefox instances in parallel (so they dont
| have the same parent process / cookies etc.). or restrict
| memory for to 2G per container. there were just a few things
| i wanted to do that didn't quiet work with flatpak or snap.
| traverseda wrote:
| Firejail is really nice...
| TacticalCoder wrote:
| One advantage one running GUI apps within a Docker container is
| that it is, in my experience, totally trivial to put RAM/CPU
| quotas on piggy apps. Sure, you _may_ put quotas using other
| means but it can get tricky (if I 'm not mistaken it's
| particularly tricky on processes forking themselves like there's
| no tomorrow).
|
| Using a Docker container, which you may already have anyway,
| putting CPU/RAM quotas is a one-liner.
| akvadrako wrote:
| If that's all you want it's easier to use systemd-run and start
| your process as a service.
|
| I do this to put many of my resource hungry apps like FF in
| slices.
| amelius wrote:
| Can you also add bandwidth quotas?
| TacticalCoder wrote:
| That's a good question, I never tried so I don't know either.
| g8oz wrote:
| >> _" This would provide a degree of protection against social
| media platform cracking down on sock puppet accounts being used
| from single setup because traffic is kept separate for each
| account and cookie cross-contamination is being prevented."_
|
| This can also be accomplised by using Firefox's Multi-Account
| Container extension in conjunction with the Container Proxy
| extension.
|
| The Multi-Account Container extension is also great for non-
| dirtbag purposes. For instance testing different user profiles in
| an application - create 1 container for User, 1 for Admin etc.
| pvtmert wrote:
| for macOS, you can use -e DISPLAY=host.docker.internal:0
|
| if docker version is >20.10.x also works with Linux
| mirekrusin wrote:
| Nice article.
|
| ps. you know, for some people it's very hard to read bright text
| on black background. Especially if you're flipping from opposite
| contrast.
| LoveGracePeace wrote:
| Agreed, I bring this up all the time, FYI it's about 40% of the
| population according to several decades of research.
| eurasiantiger wrote:
| The author seems to focus on something called "growth hacking",
| which seems to boil down to social media fraud akin to the
| cyberwarfare psyops various nation-states have been doing.
|
| Fast capitalism, to me, seems to be an ideology entirely centered
| on an authoritarian we-versus-them mindset where profit is king,
| civilian collateral be damned.
| ttyprintk wrote:
| Well, growth hacking is a buzzword for a marketing position in
| a company encountering the steep part of the curve. I suppose
| one of the innovations is that a widget becomes more attractive
| to a segment of the population when you bolt on some social
| functionality, what you're seeing.
|
| At the top of growth is incumbency. I think that's where your
| second paragraph comes in. Incumbents surveil innovations, and
| "growth hackers" don't like to talk about this obvious
| conclusion. They'd rather inhabit a role that concludes once
| growth has succeeded and slowed.
|
| This is no more revolutionary than traditional marketing.
| Marxism talks about capitalist marketing as a way to channel
| alienation among working classes away from collective
| organization. But, Marx from the beginning needed to market his
| ideas to different groups. He needed those groups to realize
| that they needed his political orientation. He tries to do this
| with abstractions, and explicitly gives up on whole classes he
| deems unfit to understand those ideas (the lumpenproletariat).
|
| As the product of a growth hacker reaches incumbency, marketing
| gives way to public relations. We might consider Cambridge
| Analytica public relations hackers. Same level of statistical
| sophistication, same single-focus of corporate promotion over
| all other advancements.
| rovr138 wrote:
| I use some projects that use vnc and also have setup novnc on
| them..
|
| Here's an example of one, https://github.com/accetto/ubuntu-vnc-
| xfce-g3
|
| Novnc just allows accessing things via a browser too. I use it
| for quick checks but VNC when I want a client
| galoisscobi wrote:
| Reading this makes me want to revisit running i3wm in a docker
| container on macOS. After having tried Amethyst (current daily
| driver), yabai, and hammerspoon, nothing comes close to i3wm, in
| my experience.
| adamnew123456 wrote:
| I looked into the equivalent setup for WSL a while ago. The
| thing I could never solve was: how to manage the hosts windows
| via the virtual environment's WM? Without the integration that
| setup is just extra config for no gain.
|
| Because if most tools belong to the VM, then just run a VM in
| full screen and use that. No need to have the display server
| shared if you're using mostly Linux tools that display on the
| VM's X server.
| galoisscobi wrote:
| That's a good point. I'll try out the VM route and see how
| that goes. I mainly just want to tile the web browser, some
| docs, a terminal emulator and vim/IDE and be able to switch
| between layouts and apps seamlessly and VM does seem like a
| good option. Kinda sad that macOS WM is a joke to do all this
| compared to some of the TWMs out there.
| adamgordonbell wrote:
| Of course you can also play DOOM in docker:
|
| https://earthly.dev/blog/dos-gaming-in-docker/
| corobo wrote:
| Additional reading on this topic if you fancy it. This is the
| first one I read regarding docker for GUI apps
|
| https://blog.jessfraz.com/post/docker-containers-on-the-desk...
| phil294 wrote:
| I cannot recommend the mentioned x11docker cmd line tool enough
| for this. It takes care of all possible edge cases, supports
| different outlets (like nxagent or xephyr), focuses on security
| and exposes an easy interface. I'm using it for day to day work
| with VSCode, for example, to fix its atrocious security model, or
| more recently, to try out JPEXS (Java), IDA (wine) and AHK
| (wine). I specially like that this leaves no config or cache
| files left behind.
|
| The article says you need a compatible image for that, but in my
| experience, everything launches just fine.
| stickac wrote:
| Exactly that https://subuser.org does
| ttyprintk wrote:
| Looks like its the only solution in this thread leveraging
| Xpra.
|
| https://www.xpra.org/
| Klasiaster wrote:
| For getting a proper Wayland session I recommend doing this with
| Phosh and wayvnc (WLR_BACKENDS=headless WLR_LIBINPUT_NO_DEVICES=1
| as env vars for starting Phosh and then "wayvnc 0.0.0.0 7050").
|
| You can even have a whole systemd setup in a container using this
| VNC backend, here in this Dockerfile with CPU rendering
| (LIBGL_ALWAYS_SOFTWARE=1) to avoid requring a GPU:
| FROM docker.io/fedora RUN dnf -y update && dnf install -y
| phosh phoc wayvnc sudo socat iproute mutter xorg-x11-server-
| Xwayland dbus-x11 mesa-libgbm mesa-libOpenCL mesa-libGL mesa-
| libGLU mesa-libEGL mesa-vulkan-drivers mesa-libOSMesa mesa-dri-
| drivers mesa-filesystem gnome-shell gnome-terminal RUN
| mkdir -p /etc/systemd/system/phosh.service.d && echo -e '\
| [Unit]\n\ ConditionPathExists=\n\ [Service]\n\
| Environment=WLR_BACKENDS=headless\n\
| Environment=WLR_LIBINPUT_NO_DEVICES=1\n\
| StandardInput=null\n\ TTYPath=/dev/console\n\
| TTYReset=no\n\ TTYVHangup=no\n\
| TTYVTDisallocate=no\n\ ExecStart=\n\
| ExecStart=/usr/bin/phoc --exec "bash -lc \"/usr/libexec/phosh
| --unlocked & wayvnc 0.0.0.0 7050\""\n\ ' >
| /etc/systemd/system/phosh.service.d/10-headless.conf RUN
| systemctl enable phosh.service # Work around a problem
| with a missing dbus.service unit file RUN mkdir -p
| /etc/systemd/system && ln -fs /usr/lib/systemd/system/dbus-
| broker.service /etc/systemd/system/dbus.service # Mask
| udev instead of making /sys/ read-only as suggested in
| https://systemd.io/CONTAINER_INTERFACE/ RUN systemctl
| mask systemd-udevd.service systemd-modules-load.service systemd-
| udevd-control.socket systemd-udevd-kernel.socket ENV
| container=docker RUN groupadd --system sudo RUN
| useradd --create-home --shell /bin/bash -G sudo user RUN
| echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers ENV
| LIBGL_ALWAYS_SOFTWARE=1 RUN sudo -u user gsettings set
| sm.puri.phoc auto-maximize false EXPOSE 7050 #
| Set up a /dev/console link to have the same behavior with or
| without "-it", needs podman run --systemd=always CMD [
| "/bin/sh", "-c", "if ! [ -e /dev/console ] ; then socat -u
| pty,link=/dev/console stdout & fi ; exec /sbin/init" ]
|
| Use as: podman run --systemd=always --rm -p 7050:7050 imagename
| qbasic_forever wrote:
| Very cool! systemd is so underrated and underappreciated in the
| container world.
| Legogris wrote:
| jessfraz maintains quite a collection of Dockerfiles you can
| borrow: https://github.com/jessfraz/dockerfiles
| timmattison wrote:
| I love the idea of this. I've struggled to get a setup like this
| to work on MacOS though. Which X server is the "right" one to
| use? Which is the easiest? Is there some way to make it work
| seamlessly with built in tools?
|
| As an aside, instead of talking about growth hacking, and OSINT I
| think this whole thing could be a lot more relatable if the
| author chose a simple motivation like privacy. Another comment
| here mentioned subtools (?) which clearly highlights that not
| everything should be trusted with full access to your system.
| FPGAhacker wrote:
| I've used xquartz for this on macOS in the past.
| hoherd wrote:
| It sounds like you missed the x11vnc part of this. You connect
| into the container using vnc, not x11, and potentially via a
| browser based vnc client. If you want to see a working example
| of a gui app running successfully in docker, check out
| https://github.com/jlesage/docker-handbrake
| FPGAhacker wrote:
| the vnc solution was one of several presented in the article.
| The second was using the host x11 server by sharing the
| socket.
| zubnix wrote:
| another solution that allows both wayland and x11 applications
| accessible from the browser (disclaimer: I am the author, it's
| also still very much under development)
| https://github.com/udevbe/greenfield
| madduci wrote:
| I'm doing this since quite a while and I am happy with this
| approach, especially with applications that tend to pollute my
| machine in every folder possible, like IntelliJ:
|
| https://github.com/madduci/docker-intellij
| mellosouls wrote:
| Is Sandboxie still around? It used to do that (containerised GUI
| apps) pre-Docker on Windows very effectively.
|
| Ah (edit), there it is:
|
| https://github.com/sandboxie-plus/Sandboxie
| modinfo wrote:
| And how to launch GUI app from docker via ssh?
| jbverschoor wrote:
| Run X and set the display host?
| ttyprintk wrote:
| ssh -X will do, but in this thread is a project using Xpra.
| Assuming your docker is remote, that's probably better.
|
| https://www.xpra.org/
| adhesive_wombat wrote:
| > This is beneficial for things like social media management,
| growth hacking (either via social media automation or manual
| labour done by VAs) or OSINT investigations.
|
| Ugh, sounds like the software equivalent of using a huge stack of
| ingenious hardware to just do something parasitic like high-
| frequency trading.
| pronoiac wrote:
| Oh hey, I just automated this a bit to run the Linux version of
| Scantailor Advanced on a Mac. I contributed it back upstream.
| It's not too complicated, but it took a while to get it working.
| https://github.com/ryanfb/docker_scantailor
|
| Edit: this method uses xquartz on the Mac side, and socat to
| bridge between a network port and a file socket.
| mg wrote:
| You can also do it with this one-liner:
|
| docker run -it --rm -e DISPLAY --net=host -v
| $XAUTHORITY:/root/.Xauthority -v /tmp/.X11-unix:/tmp/.X11-unix
| debian:11-slim
|
| Then inside the container, run: apt update
| apt install firefox-esr firefox
|
| Now Firefox runs inside the container but displays on your hosts
| screen and you can use it right away.
| ThePhysicist wrote:
| Yes, I think few people seem to realize X Windows can be
| operated over a network as well. I used to do that with the
| Windows Subsystem for Linux to use the KDE Konsole and other
| great tools on my Windows machine using an X server running on
| the Windows side and a few environment variable tweaks on the
| Linux side. My colleagues were always confused when they saw
| the Linux UI seamlessly mixed with the Windows stuff on my
| display. For the use case mentioned in the article xvfb
| probably makes more sense though as that stuff often runs on a
| server and you don't want to stream the output somewhere to
| work with it interactively.
| zozbot234 wrote:
| This is not running X on any network, just sharing access to
| the resources that the containerized app needs to find the X
| server on the same host. There's probably an equivalent
| incantation for Wayland, too.
| nrdvana wrote:
| Well, that's sort of splitting hairs... It is a unix
| socket, which at the API level is the same as a network
| connection, but the kernel skips the hassle of attaching
| protocol headers and routing the packets.
|
| The example above _is_ writing and reading every X11
| message over a socket, and not reaching into /dev on the
| host, else it would need additional parameters added to the
| docker command.
|
| I'm not current on Wayland, but as of a few years ago all
| attempts to run it non-locally required the X11 back-compat
| layer. I have no idea what /dev nodes would be required to
| be shared for wayland to run in a chroot.
| OJFord wrote:
| I found your comment grepping for someone sharing how to
| do it in Wayland, so here it is for the next person:
| docker run -e XDG_RUNTIME_DIR=/tmp \ -e
| WAYLAND_DISPLAY=$WAYLAND_DISPLAY \ -v
| $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY
| \ --user=$(id -u):$(id -g) \
| imagename waylandapplication
|
| Pretty simple and reasonable really, just needs to use
| the same Wayland socket and (in order to access it) user
| ID. From: https://unix.stackexchange.com/a/359244
|
| I suppose if you were adventurous you could give it
| whatever other known user ID, and start a separate
| Wayland compositor for it. But I don't know why you
| would, when surely the point is to get containerised GUIs
| visible to you alongside others. Containerised multi-seat
| I suppose?
| bdavis__ wrote:
| thanks for posting this, but I don't think it meets the
| definition of "Pretty simple".
| OJFord wrote:
| It's verbose, but that's why I included the description
| 'just needs same socket and user ID'. That's simple isn't
| it? Of course it'll always need something.
|
| It could be made less verbose by encapsulating in a
| compose file, or by removing the env var to point into
| /tmp and instead using whatever the default is for the
| chosen image. Also it's not necessary to specify the
| value for an env var being passed through with the same
| name (I just copied from SO).
| i_like_waiting wrote:
| So WSL is a must? Because I tried already countless of times
| without that and it never worked.
| [deleted]
| nrdvana wrote:
| You could do the same thing with User Mode Linux or a
| virtual machine. WSL is just the easiest/fastest way to run
| native Linux binaries on a Windows system. If you have a
| X11 server installed properly on windows and can run Linux
| apps over ssh (which I've done with cygwin, but there are
| other paid options as well), then you can run them over ssh
| to a virtual linux on your own host, or look for ways to
| skip the ssh tunnel if they can route packets to eachother.
|
| I'm a little surprised the examples don't require fiddling
| with X permissions, which I always had to do when not using
| ssh.
| nousermane wrote:
| > X Windows can be operated over a network as well
|
| Yes, but GP's example is X over a unix socket. Not sure if
| that counts as network.
| yjftsjthsd-h wrote:
| > Yes, I think few people seem to realize X Windows can be
| operated over a network as well.
|
| Because in practice it generally can't; I'm not aware of any
| Linux distribution not shipping their X server with
| `-nolisten tcp` by default.
| remram wrote:
| This has less isolation. The container has full access to your
| X server and can record your screen or log all key presses, for
| example. It also has access to the host's network interfaces,
| and can access services bound to localhost (even if
| firewalled). There is little point in running software this
| way, if the software is available on the host.
|
| On the other hand the use cases that the article describes can
| already be accomplished by Firefox's "account containers"
| feature or just creating another profile and running `firefox
| --no-remote`
| joombaga wrote:
| The container would only be able to record the screens or key
| presses that occur in the same xserver, right? I never
| thought about access to localhost services. I'm guessing
| there's some xserver configuration that could prevent that.
| remram wrote:
| The parent's setup makes the host's X server socket
| available to the container, so there's only one X server in
| that case. In the article, they run a separate X server,
| which offers some isolation as you note.
| 0x0 wrote:
| Nobody runs more than one X server. And the X server isn't
| involved with other localhost services.
| joombaga wrote:
| I don't intend to run more than one X server. Most of my
| GUI applications don't use X.
| yjftsjthsd-h wrote:
| > There is little point in running software this way, if the
| software is available on the host.
|
| 1. That's a big "if"; I'm fond of docker precisely for fixing
| software availability issues.
|
| 2. It's diminished, but it still provides significant
| protection, since the containerized program still can't see
| the real filesystem or process table without going through X
| or something networked. That's still pretty significant; it
| would, for instance, protect against a Firefox zero-day that
| was being used to read people's private SSH keys (not a
| hypothetical; that incident is what pushed me personally to
| start sandboxing my browser).
| beardog wrote:
| Using it for fixing availability is fine, but I disagree
| that it provides protection.
|
| I don't deny that in theory someone could deploy a Firefox
| zero day that steals ssh keys and that having an abnormal
| setup via docker could throw a wrench in that, but you are
| essentially relying on obscurity of your setup which is not
| an acceptable approach - in the same way that the obscurity
| of TempleOS would not be a good security approach.
| BoorishBears wrote:
| I feel like security through obscurity is the most
| prominent example of the Dunning-Kruger effect
|
| Where beginners in security wrongly rely on it entirely
|
| Then intermediate experts proudly proclaim that it's not
| acceptable
|
| Then expert experts realize it's an excellent part of
| defense in depth.
|
| -
|
| I mean I know it's a hyperbolic example in your comment,
| but do you really think leveraging the obscurity of
| TempleOS wouldn't be an extremely potent way of dodging
| 99.99999% of malware in existence?
|
| Forcing a tailored attack to breach your isolation is
| already miles ahead of just running it on your desktop
| and is most certainly an "acceptable approach", even if
| it's not infallible.
| javajosh wrote:
| _> Firefox zero-day that was being used to read people's
| private SSH keys_
|
| Backup there. I somehow have not heard about this. What was
| the vector? What was the exposure? E.g. have I leaked the
| contents of ~/.ssh to some (hopefully small, at least)
| subset of sites I've visited? Where can I learn more?
| tedunangst wrote:
| https://www.rapid7.com/db/modules/auxiliary/gather/firefo
| x_p...
| tedunangst wrote:
| The container should only have access to the server's
| keyboard input if you give it the magic cookie to do so. If
| you want a secure container, you would only grant limited
| permissions.
|
| https://www.x.org/releases/X11R7.6/doc/xextproto/security.ht.
| ..
| bstpierre wrote:
| Also this method avoids "xhost +" which is a huge security hole
| paskozdilar wrote:
| Thanks, this is much simpler than the original post.
|
| Here's the equivalent Dockerfile + docker-compose.yaml for
| convenience: # Dockerfile FROM
| debian:11-slim RUN apt-get -y update && apt-get -y
| install firefox-esr CMD ["firefox"]
| # docker-compose.yaml services: firefox:
| image: firefox build: . environment:
| DISPLAY: ${DISPLAY} network_mode: host
| volumes: - ${XAUTHORITY}:/root/.Xauthority
| - /tmp/.X11-unix:/tmp.X11-unix
|
| This way you can run it with just: docker-
| compose up
| moody5bundle wrote:
| if you want to remove network_mode=host you need to run
| firefox with the --no-xshm flag
| jandeboevrie wrote:
| This is fun, I did it as well to get an old flash player from
| 2011 working in modern Linux:
| https://raymii.org/s/tutorials/Running_gnash_on_Ubuntu_20.04...
| throwaway69123 wrote:
| Anyway to do this on windows?
| jcastro wrote:
| Distrobox is handy for this:
| https://github.com/89luca89/distrobox
|
| It just lets you reuse any docker image on your desktop (both
| podman and docker), and has some nice features like the ability
| to create a launcher shortcut on the host and transparently
| mapping your home directory. I switched to it full time, all my
| CLI work is just done in a container, and it's pretty
| transparent.
| melony wrote:
| What about in Wayland environments?
| heavyset_go wrote:
| I've successfully used systemd-nspawn with my native Wayland
| session and nested Wayland sessions.
| varbhat wrote:
| Distrobox let's you do the same(using docker or podman) imo and
| is pretty good.
|
| https://github.com/89luca89/distrobox
| AnIdiotOnTheNet wrote:
| Distrobox (or Toolbox) is a nice tool[0], but honestly the
| reliance on Podman doesn't make a lot of sense to me. The
| necessary container functionality is available directly from
| the kernel[1] with little of the complication that Podman
| brings along, and from what I can tell[1] it is pretty
| straight-forward to pull docker and OCI images with simple HTTP
| interaction (or wget/curl) and extract with tar. This could be
| a stand-alone statically compiled executable with no
| dependencies that could work on any Linux distribution with no
| hassle at all, but isn't for some reason[2].
|
| [0] I was exposed to it via Fedora Silverblue, where something
| like it is a necessity since the base OS is immutable. I've
| found it very useful even outside that use case however.
|
| [1] Seems to me you could even use bwrap if you were reluctant
| to use syscalls directly.
|
| [2] having done a little research towards creating my own tool
| because I'd rather not depend on a package that isn't available
| in many LTS distros, among other reasons.
| heavyset_go wrote:
| Truthfully, I think systemd-nspawn and Firejail are better
| solutions than Docker for GUI apps and desktop use.
| 999900000999 wrote:
| I know this isn't the focus of the article, but this license
| provision in a linked project is outright strange.
|
| >By using this software you agree that the following non-PII (non
| personally identifiable information) data will be collected,
| processed and used by the maintainers for the purpose of
| improving the docker-android project. Anonymisation with respect
| of the IP address means that only the first two octets of the IP
| address are collected.
|
| https://github.com/budtmo/docker-android/blob/master/LICENSE...
|
| How can you call a project Apache when you're forcing people to
| pay via their data ? Why is their no opt out option?
|
| Absent that this seems like a great QA automation tool. Or a
| Tinder bot farm...
| detaro wrote:
| According to the documentation about analytics, there is an
| opt-out.
| 999900000999 wrote:
| Where exactly, I'd expect them to both mention the analytics
| and the opt out option in the readme.
|
| Just rubs me the wrong way, you can easily use this without
| knowing it phones home
| metadat wrote:
| Sadly, today this is more common than not, even with OSS.
| Even Elasticsearch has been doing it for many years now
| (since well before Kimchi allowed changing the license to a
| hostile one).
| arghwhat wrote:
| While nasty, the Apache license does not concern itself with
| what an application does, only how it is distributed.
| detaro wrote:
| The especially weird thing is putting something like that in
| the license.
___________________________________________________________________
(page generated 2022-03-26 23:01 UTC)