
Running GUI apps with Docker - SlipperySlope
http://fabiorehm.com/blog/2014/09/11/running-gui-apps-with-docker/
======
tekacs
I use ssh -X [1] since it runs the application as an untrusted client, not
able to interact with or manipulate or sniff from other windows. ssh -Y is the
trusted equivalent.

Might I assume that the approach in the article gives processes in the
container full access to one's X11 session and contents?

[1]: SSH X11 forwarding

------
vivab0rg
FYI, Fábio Rehm is also the author of the great LXC provider for Vagrant[1],
which I sucessfully use for fun and profit almost every working day.

PS: I you like Fábio's work, consider tipping him[2] (I already did, with
bitcoins! :)

[1]: [https://github.com/fgrehm/vagrant-
lxc](https://github.com/fgrehm/vagrant-lxc)

[2]: [https://gratipay.com/fgrehm/](https://gratipay.com/fgrehm/)

------
Aissen
Share your X11 socket/cookie, and now everything you input
(keyboard/mouse,etc.) is readable by a so called "contained" application; this
is not a secure solution, but more of a comfort solution, and it should be
used as such.

On a side note, I've been doing this with chroot/debootstrap for years, but
lxc/docker provide a nice "engineered" solution.

------
rubyn00bie
While I think this is cool, could someone explain to me why I'd bother using a
docker setup over let's say a... traditional VM? And I don't need
justification for using containers on a server, that makes sense... on a
desktop though something just seems off.

Seems like there's little to gain and a lot to configure/worry about with the
Docker setup. Happy to be learned somethin' ... just would like to know what
that somethin' is.

~~~
yurymik
There are a couple reasons I can think of:

* You can run different versions of program side-by-side: FF 32 in one window, and FF 31 in another to test compatibility and regression.

* You can install programs without polluting your base system. I don't want to have Java installed, but sometimes I just need to run an applet.

All of that can be achieved with traditional VM, but with the performance
penalty. As Docker runs on top of the native kernel, speed should be
comparable to the application running directly on host.

------
cliftonk
If it's helpful to anyone else, I used X virtual frame buffer with VNC to do
something similar earlier this year [https://github.com/clifton/docker-ib-
gateway](https://github.com/clifton/docker-ib-gateway)

------
Lai0chee
humm, the sudo makes me shudder.

~~~
piqufoh
Why? It's being run inside the docker container, it should be ok.

~~~
Lai0chee
Docker "isolation" is not as strong as most hipsters think. :-)

~~~
wastedhours
Interesting, any links which expand on the issues?

~~~
stevekemp
This is the first that comes to mind:

[http://blog.bofh.it/debian/id_413](http://blog.bofh.it/debian/id_413)

~~~
kalmi10
That's an article from 2011. This evasion does not work today.

~~~
stevekemp
That example is old, but yes it does work, and will continue to work until
docker uses user namespaces.

That said the example is not a good one because of the changes applied these
days, e.g. the use of the UID on the host-side.

~~~
kalmi10
I actually tried it on Docker 1.2.0 with the ubuntu:14.04 image.

/sys is already mounted and it is read-only, and it cannot be mounted
manually:

    
    
      root@07ba8c752195:/# mkdir sys2
      root@07ba8c752195:/# mount -t sysfs sysfs /sys2
      mount: block device sysfs is write-protected, mounting read-only
      mount: cannot mount block device sysfs read-only

~~~
stevekemp
I tested this with the busybox image, and received a warning that /sys was
already mounted, but the attack then proceded to work as expected.

~~~
kalmi10

      kalmi@sylph ~> docker run -t -i busybox:latest
      / # mount -t sysfs sysfs /sys
      mount: permission denied (are you root?)
      / # mkdir sys2
      / # mount -t sysfs sysfs /sys2
      mount: mounting sysfs on /sys2 failed: Permission denied
    
      kalmi@sylph ~> docker --version
      Docker version 1.2.0, build fa7b24f
    
      kalmi@sylph ~> uname -r
      Linux sylph 3.13.0-35-generic #62-Ubuntu SMP Fri Aug 15 01:58:42 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

~~~
stevekemp
We don't need to argue about this, but I see the same permission-denied issue
as you, but that doesn't matter.

The /sys is mounted already and reading/writing to it succeeds:

    
    
         / # mount -t sysfs sysfs /sys
         mount: permission denied (are you root?)
    
         / # echo /var/lib/docker/aufs/mnt/638ae26bb710384a8ebade3a66049277affea8b0f3e96003d351f167a9706aef/tmp/evil-helper > /sys/kernel/uevent_helper
    
         / # cat   /sys/kernel/uevent_helper
         /var/lib/docker/aufs/mnt/638ae26bb710384a8ebade3a66049277affea8b0f3e96003d351f167a906aef/tmp/evil-helper
    

From there the attack works. Obviously the change here is that I need to know
the full UID, which is a cheat, but ..

------
nullsocket
Firejail anyone?

[http://l3net.wordpress.com/projects/firejail/](http://l3net.wordpress.com/projects/firejail/)

------
foobarqux
Are there still problems with apps that require the initialization system. I
never was able to get things like dbus working in Docker.

------
jestinjoy1
Noob here. What are the possible usecases?

~~~
yuvadam
Skype, for example, can be run inside a container [1], allowing you to use it
while hiding the rest of your system from the obfuscated and traffic-encrypted
binary which no one knows what it does to your system.

It uses X11 forwarding for the GUI, and PulseAudio for the sound.

[1] -
[https://registry.hub.docker.com/u/tomparys/skype/](https://registry.hub.docker.com/u/tomparys/skype/)

~~~
vertex-four
I'll note that X11 has practically no security and that windows can read
contents from other windows, if you happen to be worried about that attack.
Essentially, anything that is displayed can be read by anything.

You'd need some form of "X11 firewall" to be secure.

~~~
masklinn
Untrusted SSH X-forwarding (via -X) is a start.

------
zokier
Does OpenGL work with this?

------
zwischenzug
Nice... previously I'd just installed vnc.

