
Docker Desktop: Your Desktop over ssh inside of a Docker container - rogaha
http://blog.docker.io/2013/07/docker-desktop-your-desktop-over-ssh-running-inside-of-a-docker-container/
======
DannoHung
If you're sort of confused as to what advantage there is to this way of doing
things over just running a VM in VirtualBox or using Vagrant, you probably
aren't yet aware of what the Docker project is doing.

It's creating the VirtualBox of Linux Containers. Docker image files are
extremely light weight when compared to VirtualBox images and use Union File
systems to allow for complete isolation rather than using VM volumes.

An example scenario for when you'd want something like this is if you want to
load an experimental library for a specific application that some part of your
system depends on the stability of. Fire up a docker image for just that
application with the experimental library replacing the stable library and
_just_ the applications inside the docker image will see it. No need to even
play around with library versions or links. And since the Docker images are so
light weight and incur extremely little performance penalty (I think it is
limited to just the cost of using the Union FS over your normal FS), you can
do this for dozens of scenarios at once.

~~~
zobzu
I'm confused with the advantage over "pure" LXC and a couple of scripts for
the mounts, what does it provides for this kind of usage? Or is it not using
LXC and basically implements its own interface to the Linux namespaces?
(that'd be actually cool... :P)

~~~
DannoHung
Docker combines LXC along with a few other isolation and security
technologies. What the Docker maintainers are also doing is setting up a
system for distributing LXC based images. Beyond this, since Docker works with
these union file systems, it also lets you build on top of other images.

Eventually, there may be some way to merge images together, though I imagine
that will always be a little harry compared to a simple stack up.

Documentation is more than a little sparse right now, unfortunately. It took
me a few days to figure out how all the pieces work together.

~~~
eldondev
Can you be specific about the other security methodologies docker rolls in?
Everywhere I read, people say "LXC != VM-level security," specifically, I hear
that root on the container means root on the host. These suse guys at least
say "If you want to be secure, kvm is still your answer." :
[http://unixcal.com/s/a4mn](http://unixcal.com/s/a4mn) . Thoughts?

~~~
jpetazzo
Root on the container doesn't mean root on the host. Machine-level
virtualization has received more scrutiny than LXC, so as of today, many
people consider traditional VMs to be more secure. But KVM or Xen are not
intrinsically more secure than LXC or OpenVZ. They all have their histories of
exploits and privilege escalations.

One key thing is, that it makes sense to run containers without root
privileges (greatly improving security), while it is much harder to
realistically run a VM without root processes. As a result, it could be said
that containers are much safer, because before even thinking about breaking
out of the container, you have to work on a root exploit - on a system which,
by essence, only runs the processes that you really need, and has a much
smaller attack surface.

We're working on a more elaborated answer, to be included within Docker docs!

------
beachstartup
> root@host:~# curl [http://get.docker.io](http://get.docker.io) | sh

No no no. Do NOT do this. Kids these days...

~~~
antocv
This also sucks because the scripts always assume some variant of Ubuntu or
Debian. Um, no, thank you, damn hipsters.

~~~
slashdotdotorg
Exactly _what_ is your qualification for debian being lumped in with hipsters?
Some of us have used it as the most rock solid STABLE linux distro for servers
and desktops for quite a long time.

~~~
peatmoss
He's an avid Yggdrasil user.

As an aside, I miss some of the raw diversity that was present in the old
Linux distros. Slackware was my drug of choice due to its steadfastly BSD
flavor. I guess Slackware is still around, but have no idea what its status is
and whether Patrick ever moved it over to system v-ish convention in order to
be more like other Linux distros. I guess that distinction is even a bit
anachronistic given all the fancy changes to the way init is done nowadays.

------
sciurus
IMHO here's an even cooler hack-

Gtk+, the widget toolkit used to develop GNOME and many free software
applications, supports rendering applications via HTML5. One of the developers
has demonstrated using it to run desktop applications on OpenShift, Red Hat's
PaaS, that you then access via your web browser.

[http://blogs.gnome.org/alexl/2013/03/19/broadway-on-
openshif...](http://blogs.gnome.org/alexl/2013/03/19/broadway-on-openshift/)

[http://blogs.gnome.org/alexl/2013/04/03/more-gtk-in-the-
clou...](http://blogs.gnome.org/alexl/2013/04/03/more-gtk-in-the-cloud/)

~~~
StavrosK
But... but... how?

------
ivan_ah
This could be made VERY interesting if you also add an NX server in the mix. I
find basic X11 connections via ssh to be rather laggy and unpleasant to use
when the internet connection is not top.

The idea behind NX is to "fake" an X client on the server side and fake a NX
server on the client side. This reduces the number of roundtrips required for
each action. The improved responsiveness is dramatic -- even on a low speed
and high-latency link, using the remote desktop feels like a local machine...

    
    
        http://en.wikipedia.org/wiki/NX_technology
    
    

Unfortunately, the two open source projects which aimed to reproduce the NX
functionality seem to have been abandoned.

    
    
        http://freenx.berlios.de/
        http://code.google.com/p/neatx/source/list
    

Is anyone using NX these days? Perhaps, people stopped developing these
because they work well already?

~~~
sciurus
Take a look at xpra instead. The performance is much beter than X11 forwarding
when you don't have a low latency connection.

[http://xpra.org/](http://xpra.org/)

~~~
rogaha
Thanks for your reply! I tried xpra and it seems to be much better! It also
fixed the issue with the keyboard messed-up on Mac OSX. I will publish an
update on GitHub soon!

------
jol
I can see usig this to get perfectly replicable, easy to upgrade/rollback and
movable works environment - for both local and remote use. I.e., use locally
on powerfull machine or rdp to closest powerful machine you can access from
slow device. Or have several workspaces similar to virtual desktops for
multiple projects...

~~~
rogaha
Exactly. You can easily do that with Docker Desktop :)

------
j_s
I got excited when I saw the Windows installation instructions link, but that
is just how to setup Vagrant with VirtualBox to host a Linux machine.

Is there any open-source equivalent to things like Citrix's XenApp, VMWare's
ThinApp, Microsoft's App-V, or independent tools like Sandboxie?
[http://alternativeto.net/software/sandboxie/](http://alternativeto.net/software/sandboxie/)

~~~
rogaha
Sorry, but for now it's the only way to install it on Windows. Thanks for
asking j_s.

~~~
mmgutz
But why Vagrant? It's an unnecessary dependency that requires installation of
more stuff I don't use. Why not distribute a pre-built VBox image and torrent
it?

------
gcb0
So, if I understood that correctly, it's just a virtual box image of ubuntu or
debian that you run headlessly in a linux container (via docker) and then run
a Xserver on your actual machine OS and connect to it via SSH with Xforward?

how is this any better than simply running virtualbox on your OS to begin
with?

~~~
rogaha
Exactly. It's better because you can build that image anywhere where there is
docker installed and it can be easily moved/upgraded and ready to run. But if
you think only locally, then there is no much difference, despite that docker
lighter and faster.

~~~
yebyen
Further, the VirtualBox instructions are only for Windows users, to get Linux
installed (which is a requirement of Docker). You don't need VirtualBox at
all. But if you don't have Linux, you can try this with VBox (it's a
virtualization tech that nests safely inside of vbox... unlike say, virtualbox
inside of virtualbox.)

~~~
gcb0
if i already have linux installed i can carry fat binaries and a kernel for
chroot'ing an environment. all in a tar file... I think this is just new way
kids does common things of yesterday. or maybe linux containers kicks chroot a
__in performance?

~~~
yebyen
to me it's not about performance... it's about rigorous isolation. LXC is like
FreeBSD jails, though there are things you can do with the cgroup namespace
stuff now that are impossible using jails... eg. disk io accounting.

in a jail, one user who attempts to monopolize disk io will succeed. in a
cgroup, he can be restricted to exactly 10% of available i/o bandwidth, so you
can guarantee that he doesn't starve the other containers.

there are also easy and documented ways to break out of a chroot if you are
able to obtain root in the chroot. those holes are plugged by lxc and docker.
Most notably, access to devices can be restricted.

I don't know what you mean by "carry fat binaries and a kernel for chrooting
an environment" \-- you don't need a separate kernel for chroot, any more than
you need a separate kernel for docker. There's no advantage to static linked
binaries (fat binaries?) when you can put the storage of your containers in a
zpool or btrfs with deduplification. Same as your chroots.

Try out docker. Read about cgroups. I first gave LXC a try a few years ago and
I was really sad about the extent of support for creating guests and keeping
them properly isolated. It was really not friendly at all. You basically had
to commit to using kernel patches that made your system pretty unusable as a
desktop. (Was that xen dom0 or lxc?)

Everyone was saying, "Ohh, LXC is no better than a chroot." It's insecure,
easy to break yourself out. Not so much anymore, with the current state of
Docker you don't even have to know all the advances in cgroup and namespaces.

It's worth a look. Really, go check it out.

------
willvarfar
Here's a recipe for using vnc to get pixels out of a docker:

[http://stackoverflow.com/questions/16296753/can-you-run-
gui-...](http://stackoverflow.com/questions/16296753/can-you-run-gui-apps-in-
a-docker)

------
VaucGiaps
Linux != Debian

~~~
icebraining
The script is actually Ubuntu specific, not Debian (it uses Upstart).

