App in Docker: not completely isolated? about dockerfiles HOT 10 CLOSED

There is work being done to secure X11 by some gnome people I believe but
ya X11 is ridiculously insecure...

On Fri, Jun 5, 2015 at 4:22 PM, TerrorFactor [email protected]
wrote:

When messing around with your Docker images, I wanted to check if a
container was completely isolated. I tried it with your Spotify image, as I
know Spotify doesn't like being started multiple times.
So I created 2 containers with your Spotify-image, and tried to run them
both.
It didn't work :(
Spotify knew there was already a Spotify running. I figured it might be,
because both instances were mapped to the same folders on the host, so I
changed that. No luck.

Upon googling a bit more, I suspect it's because X11 is used. Do you know
how to fix that, or is there a workaround?

—
Reply to this email directly or view it on GitHub
#24.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

from dockerfiles.

Would using VNC work? I'd guess I have to make an image with a VNC server in it, which will give some overhead, but if it's really isolated that way, that's okay. It'll still be better than running a VM for every app.

from dockerfiles.

I honestly don't think so, but would be interesting to try.

On Fri, Jun 5, 2015 at 4:30 PM, TerrorFactor [email protected]
wrote:

Would using VNC work? I'd guess I have to make an image with a VNC server
in it, which will give some overhead, but if it's really isolated that way,
that's okay. It'll still be better than running a VM for every app.

—
Reply to this email directly or view it on GitHub
#24 (comment)
.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

from dockerfiles.

Sooooo, it seems that I can't even get your stock image to build:
Errors were encountered while processing:
colord
E: Sub-process /usr/bin/dpkg returned an error code (1)

The command .... returned a non-zero code: 100

Updating your image without rebuilding also doesn't seem to be an option, as I can't get a shell due to the X11 requirement.

from dockerfiles.

Hmm thats odd seeing as I just updated all of them and they built just
fine..

On Fri, Jun 5, 2015 at 6:10 PM, TerrorFactor [email protected]
wrote:

Sooooo, it seems that I can't even get your stock image to build:
Errors were encountered while processing:
colord
E: Sub-process /usr/bin/dpkg returned an error code (1)

The command .... returned a non-zero code: 100

Updating your image without rebuilding also doesn't seem to be an option,
as I can't get a shell due to the X11 requirement.

—
Reply to this email directly or view it on GitHub
#24 (comment)
.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

from dockerfiles.

That's weird. I'm using a pretty much fresh installed 14.04 64 bit ubuntu, and only installed docker today. I'll install a fresh VM and have another go. There isn't anything special needed to build an image as far as I know?

from dockerfiles.

It did work on a fresh VM with a fresh docker. Added another repository, guessing i'm having a different version of docker now.
Didn't manage to get vnc/any thing else working though. Used this for the VNC setup: http://stackoverflow.com/a/16311264/4225082
Just get the error that the display was not found (like you get when you don't "xhost +" before using your method.
Then found that I could use xephyr, as that isolates x, so that should work. Used this as basis: http://blog.whitenite.de/docker-container-running-gui-apps-feat-sockets-and-xephyr/
Get the xephyr window, with window manager. A spotify window opens up, but it's just an empty window, the actual app isn't visible.
Tried it with the ubuntu window manager (compiz), but that doesn't help either.
I think I'll keep using sandboxie for a while ;(

from dockerfiles.

You can use subuser's secure X11 bridge to provide X11 isolation. I am currently working on getting @jfrazelle's repository ported to subuser. Stay tuned.

from dockerfiles.

@timthelion results on the porting?

from dockerfiles.

closing as this is not bugs with this repo, thanks! but feel free to discuss!

from dockerfiles.