How to run GUI applications directly in containers (opens in new tab)

(github.com)

73 pointshippospark1y ago38 comments

38 comments

33 comments · 11 top-level

wmf1y ago· 7 in thread

I don't want to be negative but Flatpak is a container runtime specifically designed for GUI apps and Docker isn't.

Another thing to look at is bubblewrap (https://github.com/containers/bubblewrap), which is what implements the sandboxing in Flatpak. It's handy if you want to run a command from your host in a particular sandbox as kind of a one-off, or if you just want to understand more about how that sandboxing works :)

dnndndej1y ago

But doesn't flatpack offer much deeper system Integration by default? Like being able to access the home directory by default and being able to talk to dbus?

To me flatpack looks like a way achieve application compatibility not security

TingPing1y ago

By default a flatpak has no permissions. It exposes ways to add permissions both statically and dynamically. So security varies.

razemio1y ago

I think this depends on your use case. As a dev I would take dockerized gui applications over flatpak all day, as it allows me to quickly add additional packages and networking for example. The possibilities would be endless while all can reside in a small docker-compose stack right in the repository.

kccqzy1y ago

Your perspective is understandable. When you say "as a dev" it sounds like you really want to be a docker dev but not a flatpak dev: you are used to writing docker files and docker-compose files but you are not interested in writing flatpak apps. That's okay because docker is focused on developers whereas flatpak is more user-centric.

1 more reply

mariusor1y ago

You can always build your own flatpak image with whatever else you need. I think the only thing you're losing is the layered architecture of OSI images.

ximm1y ago

This is a nicely written description of some of the things that flatpak does under the hood for people who know docker. Of course, flatpak does a lot more (e.g. filtered dbus access).

I personally think that flatpak is not the end of history and we should continue to experiment with different approaches.

art0rz1y ago· 4 in thread

> The source of the GUI application is untrusted, or its safety is uncertain.

Afaik Docker doesn't promise security

lotharcable21y ago

This is correct.

I think it may add a bit of security, but containers are better thought of as mechanism to deploy and manage applications/services.

They can be useful as part of a security posture, but you kinda have to wrap everything up in SELinux or as part of some other system. Which is a lot easier to do with containers then it is to do with normal applications.

Also for most purposes:

If you want to integrate container applications into your desktop you'd be better off with something like Flatpak or distrobox/toolbx.

there are lots of things that these applications do to setup the environment and integrate into your home directory that isn't going to be done with simple scripts like this.

That doesn't mean that these scripts are useless, of course. I you want to run a application with more isolation and less integration then it is a lot easier to do it this way then with something like distrobox.

Like if you don't want to give a application access to your home directory. Or want to emulate a container environment for the cloud locally so you can hack on it.

diggan1y ago

Even if it did, if you end up connecting your GPU, display manager, dbus, pipewire and a bunch of other devices to the untrusted application, you would kind of lose out on it anyways.

Only benefit I can see here is the separation of the filesystems, but there are easier and simpler ways than docker to do that.

nightski1y ago

Not promising is not the same as offering none. I don't think any technology solution "promises" when it comes to security.

mmh00001y ago

I'll agree that "Docker" has a history of "interesting" security practices.

But the core technologies underlying containers: Namespaces, cgroups, POSIX Capabilties, and SELinux. "Should" provide a level of isolation equivalent to a virtual machine[1].

If you're using a decent container platform like Podman, you should feel relatively good about the application's security and isolation.

[1] https://www.redhat.com/en/blog/how-selinux-separates-contain...

Pet_Ant1y ago· 3 in thread

This is a case where the original X11 client server model would make perfect sense.

number61y ago

Yes, exactly my thought, why not connect to the X11 server

max-privatevoid1y ago

That would completely defeat the security aspect. At that point, you're only using Docker as a software distribution method, which it's terrible at.

1 more reply

codetrotter1y ago

I like that part of X11, but a lot of software now uses Wayland.

mg1y ago· 3 in thread

Is this solution different from just executing this:

    docker run -it --rm -e DISPLAY --net=host -v $XAUTHORITY:/root/.Xauthority -v /tmp/.X11-unix:/tmp/.X11-unix debian:12-slim

And then run the GUI app in the container? For example for Firefox:

    apt update
    apt install firefox-esr
    firefox

That is an approach I sometimes use to try GUI applications in a Docker container.

ElijahLynn1y ago

The approach uses Wayland and Pipewire.

> When you start a container instance, all you need to do is map the host's Wayland socket and PipeWire socket files into the container, and then set the appropriate environment variables within the container to enable running GUI applications.

dnndndej1y ago

Isn't this working just for X11?

yjftsjthsd-h1y ago

Should also work with xwayland, but yes.

yegle1y ago· 2 in thread

The linuxserver.io packaged a couple popular GUI apps in container, e.g. Calibre.

The container packages a VNC server, and you can access the container using a webVNC.

This seems like a great solution for non-GPU-intensive GUI apps.

codetrotter1y ago

I remember having to do something similar when I was running a Debian chroot on an Android phone on one of the early Android phones.

Haven’t stuck around so I don’t know if VNC is still common to use locally on Android when you want to run other Linux distros with graphical environments on your device.

It worked but having to rely on VNC for something that is local on the same machine never felt great to me. Same when I VNC into a VM on the same host. It just feels a bit wrong to me to have to use VNC. It works and I do it sometimes for VMs on my computer, but I don’t like it.

The cool people do things like PCI passthrough. But I don’t have an extra graphics card and I haven’t looked much at the details of PCI passthrough anyways. Seems like a lot of effort also.

I do like X11 forwarding. I don’t know what to do for Wayland when it’s a VM.

brirec1y ago

I’ve used waypipe for this before. https://github.com/deepin-community/waypipe

ElijahLynn1y ago· 2 in thread

This only works on Linux systems. No Mac, fwiw.

wmf1y ago

Containers don't exist on Mac so yeah.

brcmthrowaway1y ago

I can run Docker on Mac though.

1 more reply

jbverschoor1y ago· 1 in thread

Using x11 :) the concept is nice, and could help isolate much more elegant than qubes for example.

But the protocol sucks I’ve heard

yjftsjthsd-h1y ago

? This is explicitly wayland, not x11. And x11 isn't likely to give you very good isolation unless you jump through hoops.

colonial1y ago

I configure all my development containers to mount my host's Wayland socket. It mostly Just Works, and obviates the need to do any shell shuffling if I need to run something with a graphical component.

It's also occasionally convenient if I need to run a GUI app written in (say) Java that requires a zillion megabytes of JVM dependencies - just spin up an ephemeral container that makes everything disappear on CTRL-D.

pronoiac1y ago

I've run an X app from Docker, a Linux container on a macOS host. I was able to move the incantations to a Makefile: https://github.com/ryanfb/docker_scantailor

yjftsjthsd-h1y ago

Curious that there's no comparison to https://github.com/mviereck/x11docker , which I would describe as the incumbent in this space.

Jotalea1y ago

I wonder what are the limitations of this.

- can it run games?

- can it use desktop environments or window managers like KDE or Hyprland?

- how much does it affect performance?

edit: fixed lines

j / k navigate · click thread line to collapse

38 comments

33 comments · 11 top-level

wmf1y ago· 7 in thread

I don't want to be negative but Flatpak is a container runtime specifically designed for GUI apps and Docker isn't.

dylan-m1y ago

dnndndej1y ago

But doesn't flatpack offer much deeper system Integration by default? Like being able to access the home directory by default and being able to talk to dbus?

To me flatpack looks like a way achieve application compatibility not security

TingPing1y ago

By default a flatpak has no permissions. It exposes ways to add permissions both statically and dynamically. So security varies.

razemio1y ago

kccqzy1y ago

1 more reply

mariusor1y ago

You can always build your own flatpak image with whatever else you need. I think the only thing you're losing is the layered architecture of OSI images.

ximm1y ago

This is a nicely written description of some of the things that flatpak does under the hood for people who know docker. Of course, flatpak does a lot more (e.g. filtered dbus access).

I personally think that flatpak is not the end of history and we should continue to experiment with different approaches.

art0rz1y ago· 4 in thread

> The source of the GUI application is untrusted, or its safety is uncertain.

Afaik Docker doesn't promise security

lotharcable21y ago

This is correct.

I think it may add a bit of security, but containers are better thought of as mechanism to deploy and manage applications/services.

Also for most purposes:

If you want to integrate container applications into your desktop you'd be better off with something like Flatpak or distrobox/toolbx.

there are lots of things that these applications do to setup the environment and integrate into your home directory that isn't going to be done with simple scripts like this.

Like if you don't want to give a application access to your home directory. Or want to emulate a container environment for the cloud locally so you can hack on it.

diggan1y ago

Even if it did, if you end up connecting your GPU, display manager, dbus, pipewire and a bunch of other devices to the untrusted application, you would kind of lose out on it anyways.

Only benefit I can see here is the separation of the filesystems, but there are easier and simpler ways than docker to do that.

nightski1y ago

Not promising is not the same as offering none. I don't think any technology solution "promises" when it comes to security.

mmh00001y ago

I'll agree that "Docker" has a history of "interesting" security practices.

But the core technologies underlying containers: Namespaces, cgroups, POSIX Capabilties, and SELinux. "Should" provide a level of isolation equivalent to a virtual machine[1].

If you're using a decent container platform like Podman, you should feel relatively good about the application's security and isolation.

[1] https://www.redhat.com/en/blog/how-selinux-separates-contain...

Pet_Ant1y ago· 3 in thread

This is a case where the original X11 client server model would make perfect sense.

number61y ago

Yes, exactly my thought, why not connect to the X11 server

max-privatevoid1y ago

That would completely defeat the security aspect. At that point, you're only using Docker as a software distribution method, which it's terrible at.

1 more reply

codetrotter1y ago

I like that part of X11, but a lot of software now uses Wayland.

mg1y ago· 3 in thread

Is this solution different from just executing this:

    docker run -it --rm -e DISPLAY --net=host -v $XAUTHORITY:/root/.Xauthority -v /tmp/.X11-unix:/tmp/.X11-unix debian:12-slim

And then run the GUI app in the container? For example for Firefox:

    apt update
    apt install firefox-esr
    firefox

That is an approach I sometimes use to try GUI applications in a Docker container.

ElijahLynn1y ago

The approach uses Wayland and Pipewire.

dnndndej1y ago

Isn't this working just for X11?

yjftsjthsd-h1y ago

Should also work with xwayland, but yes.

yegle1y ago· 2 in thread

The linuxserver.io packaged a couple popular GUI apps in container, e.g. Calibre.

The container packages a VNC server, and you can access the container using a webVNC.

This seems like a great solution for non-GPU-intensive GUI apps.

codetrotter1y ago

I remember having to do something similar when I was running a Debian chroot on an Android phone on one of the early Android phones.

Haven’t stuck around so I don’t know if VNC is still common to use locally on Android when you want to run other Linux distros with graphical environments on your device.

The cool people do things like PCI passthrough. But I don’t have an extra graphics card and I haven’t looked much at the details of PCI passthrough anyways. Seems like a lot of effort also.

I do like X11 forwarding. I don’t know what to do for Wayland when it’s a VM.

brirec1y ago

I’ve used waypipe for this before. https://github.com/deepin-community/waypipe

ElijahLynn1y ago· 2 in thread

This only works on Linux systems. No Mac, fwiw.

wmf1y ago

Containers don't exist on Mac so yeah.

brcmthrowaway1y ago

I can run Docker on Mac though.

1 more reply

jbverschoor1y ago· 1 in thread

Using x11 :) the concept is nice, and could help isolate much more elegant than qubes for example.

But the protocol sucks I’ve heard

yjftsjthsd-h1y ago

? This is explicitly wayland, not x11. And x11 isn't likely to give you very good isolation unless you jump through hoops.

colonial1y ago

pronoiac1y ago

I've run an X app from Docker, a Linux container on a macOS host. I was able to move the incantations to a Makefile: https://github.com/ryanfb/docker_scantailor

yjftsjthsd-h1y ago

Curious that there's no comparison to https://github.com/mviereck/x11docker , which I would describe as the incumbent in this space.

Jotalea1y ago

I wonder what are the limitations of this.

- can it run games?

- can it use desktop environments or window managers like KDE or Hyprland?

- how much does it affect performance?

edit: fixed lines

j / k navigate · click thread line to collapse