Docker Desktop: Your Desktop over ssh inside of a Docker container (opens in new tab)

(blog.docker.io)

133 pointsrogaha12y ago80 comments

80 comments

If you're sort of confused as to what advantage there is to this way of doing things over just running a VM in VirtualBox or using Vagrant, you probably aren't yet aware of what the Docker project is doing.

It's creating the VirtualBox of Linux Containers. Docker image files are extremely light weight when compared to VirtualBox images and use Union File systems to allow for complete isolation rather than using VM volumes.

An example scenario for when you'd want something like this is if you want to load an experimental library for a specific application that some part of your system depends on the stability of. Fire up a docker image for just that application with the experimental library replacing the stable library and just the applications inside the docker image will see it. No need to even play around with library versions or links. And since the Docker images are so light weight and incur extremely little performance penalty (I think it is limited to just the cost of using the Union FS over your normal FS), you can do this for dozens of scenarios at once.

zobzu12y ago

I'm confused with the advantage over "pure" LXC and a couple of scripts for the mounts, what does it provides for this kind of usage? Or is it not using LXC and basically implements its own interface to the Linux namespaces? (that'd be actually cool... :P)

DannoHung12y ago

Docker combines LXC along with a few other isolation and security technologies. What the Docker maintainers are also doing is setting up a system for distributing LXC based images. Beyond this, since Docker works with these union file systems, it also lets you build on top of other images.

Eventually, there may be some way to merge images together, though I imagine that will always be a little harry compared to a simple stack up.

Documentation is more than a little sparse right now, unfortunately. It took me a few days to figure out how all the pieces work together.

1 more reply

shykes12y ago

Docker does use lxc under the hood. They serve very different purposes.

lxc is a tool for sysadmins to deploy and configure virtual servers on their machines.

docker is a tool for developers to package their application into a deployable object without worrying about how the sysadmin will deploy it, and for sysadmins to deploy applications without worrying about how they were packaged.

When you tinker long enough with lxc, eventually you start building something like docker on top of it, because it just makes sense. Now instead of reinventing the wheel you can just use docker.

FooBarWidget12y ago

It's a wrapper around LXC (and a couple other things) to make it usable for mere humans. With LXC there's still too much low-level fiddling work to do. Docker provides everything you need to create and use containers easily and quickly. It downloads images for you. It creates bind mounts for you. It sets up networking in the container for you. It sets up certain IP forwarding rules for you. Etcetera.

rogahaOP12y ago

Great explanation! Thanks DannoHung

beachstartup12y ago

> root@host:~# curl http://get.docker.io | sh

No no no. Do NOT do this. Kids these days...

tlrobinson12y ago

Honest question: do you audit every line of code you ever download and execute?

Edit: Ironically Docker itself has the potential to help solve the problem of running untrusted open source code. I think every open source project should include either a Dockerfile or Vagrantfile to help users get up and running quickly, and safely run untrusted projects.

WestCoastJustin12y ago

On my linux machines, generally, I'll only install software from trusted sources, say rpm repos or ubuntu sources. In this case, yes, I would review the source of this file before running it.

For example, I would notice that it requires apt-get

  echo "Ensuring basic dependencies are installed..."
  apt-get -qq update
  apt-get -qq install lxc wget bsdtar

Then it downloads some binary into /usr/local/bin, at this point, I'd probably configure a VM to review this further.

1 more reply

jlgreco12y ago

Why don't we just add "click to execute" to browsers while we are at it... /s

1 more reply

jol12y ago

I don't, but for install script one can look at least from where the stuff will come. if the download link was using ssl...

1 more reply

burke12y ago

One alternative would be a graphical installer that asks for your root password. It would very likely also be served over unencrypted HTTP. This happens all the time, and HN never calls anyone out on it.

How is this different, other than a graphical installer being completely unauditable, whereas curl|sh is quite trivially auditable? Both run code as root.

zobzu12y ago

Put your packages in signed repositories and start serving over https. Then people can even do apt-get install docker. yay.

1 more reply

beaumartinez12y ago

You can curl the URL and see what it is you'll be executing. You don't get that with an obscure binary you download from the web.

But the URL should be HTTPS.

Groxx12y ago

Of course, because binaries are incapable of doing the same thing as `curl x | sh`...

antocv12y ago

This also sucks because the scripts always assume some variant of Ubuntu or Debian. Um, no, thank you, damn hipsters.

slashdotdotorg12y ago

Exactly _what_ is your qualification for debian being lumped in with hipsters? Some of us have used it as the most rock solid STABLE linux distro for servers and desktops for quite a long time.

3 more replies

shykes12y ago

The website offers install instructions for several OSes: http://docs.docker.io/en/latest/installation/

mateuszf12y ago

On Arch Linux installation is as simple as chosen_aur_wrapper -S lxc-docker-git

throwaway204812y ago

drivebyacct2 you are hellbanned, time for drivebyacct3 i guess

rogahaOP12y ago

You can also install using this procedure: http://docs.docker.io/en/latest/installation/binaries/

txutxu12y ago

I think there is more danger in html5 dinamyc fonts, or more evil in a dns request, than an opensource project installer.

Of course, don't do this on your most beloved production machine, if you can package it properly, test it, etc

But rendering a font gives execution with your user, so don't be so afraid of a installer "you can read" and has an interesting purpose.

rsync12y ago

"But rendering a font gives execution with your user"

Would you point us to a reference, or a further explanation for this claim ? I am genuinely interested...

1 more reply

anonymoushn12y ago

This is how rvm's authors want you to install rvm :)

kawsper12y ago

rvm uses https, which is far better than plain http.

malandrew12y ago

Is there any tool to automate the introspection of curl pipes to warn of potentially malicious code that needs to be given further attention?

The usability of the curl pipe approach is here to stay, so the least we can do is help people be safe with it.

Anyone have other ideas for making curl pipes safer?

RodgerTheGreat12y ago

Well, detecting potentially malicious shell scripts is merely a matter of solving the halting problem...

Food for thought: http://www.cs.dartmouth.edu/~sergey/langsec/

1 more reply

jol12y ago

I am not very good at unix command line, but maybe it could be done like this: curl http://get.docker.io > /tmp/docker-install && sh /tmp/docker-install && rm /tmp/docker-install that gives quick and easy way to inspect by executing only first command and then inspecting the source, i.e., 1) copy just first part curl http://get.docker.io > /tmp/docker-install 2) then inspect, e.g. cat /tmp/docker-install 3) run the install sh /tmp/docker-install && rm /tmp/docker-install or, if not reviewing run whole at once

p.s. I know, that there should not be direct copy-paste from browser to console and this method leaves a file in /tmp on installation failure

darkarmani12y ago

> The usability of the curl pipe approach is here to stay, so the least we can do is help people be safe with it.

I don't think this is true. It's just going to take a very popular project getting their DNS hijacked before everyone wakes up.

Well, you are right about the usability part. That part is amazing. It's just that curl-pipe is not the answer.

rogahaOP12y ago

I have updated the blog post with a more secure way of installing docker.

sciurus12y ago

IMHO here's an even cooler hack-

Gtk+, the widget toolkit used to develop GNOME and many free software applications, supports rendering applications via HTML5. One of the developers has demonstrated using it to run desktop applications on OpenShift, Red Hat's PaaS, that you then access via your web browser.

http://blogs.gnome.org/alexl/2013/03/19/broadway-on-openshif...

http://blogs.gnome.org/alexl/2013/04/03/more-gtk-in-the-clou...

StavrosK12y ago

But... but... how?

ivansavz12y ago

This could be made VERY interesting if you also add an NX server in the mix. I find basic X11 connections via ssh to be rather laggy and unpleasant to use when the internet connection is not top.

The idea behind NX is to "fake" an X client on the server side and fake a NX server on the client side. This reduces the number of roundtrips required for each action. The improved responsiveness is dramatic -- even on a low speed and high-latency link, using the remote desktop feels like a local machine...

    http://en.wikipedia.org/wiki/NX_technology

Unfortunately, the two open source projects which aimed to reproduce the NX functionality seem to have been abandoned.

    http://freenx.berlios.de/
    http://code.google.com/p/neatx/source/list

Is anyone using NX these days? Perhaps, people stopped developing these because they work well already?

sciurus12y ago

Take a look at xpra instead. The performance is much beter than X11 forwarding when you don't have a low latency connection.

http://xpra.org/

rogahaOP12y ago

Thanks for your reply! I tried xpra and it seems to be much better! It also fixed the issue with the keyboard messed-up on Mac OSX. I will publish an update on GitHub soon!

rogahaOP12y ago

Ok!

cpach12y ago

X2Go[1] is under active development and to my understanding it's based on NX libraries. It might be a good alternative. I have only tried it briefly and not over WAN, but it worked quite good over WLAN at least.

[1]: http://wiki.x2go.org/doku.php/start

morsch12y ago

We're using NX/x2go for working from home or, sometimes but fortunately not too often, less likely remote places such as weekend holiday places. It does work well. I wouldn't go as far as saying it feels like a local machine, and it's not as responsive as regular X over a fast LAN, either. But it's very usable.

rogahaOP12y ago

I didn't know NX! Thanks for suggesting it Ivan! I will try it !

alyandon12y ago

Give x2go a try first (it's based on nx). In my experience it has been far less fiddly than freenx or neatx.

1 more reply

jol12y ago

I can see usig this to get perfectly replicable, easy to upgrade/rollback and movable works environment - for both local and remote use. I.e., use locally on powerfull machine or rdp to closest powerful machine you can access from slow device. Or have several workspaces similar to virtual desktops for multiple projects...

rogahaOP12y ago

Exactly. You can easily do that with Docker Desktop :)

j_s12y ago

I got excited when I saw the Windows installation instructions link, but that is just how to setup Vagrant with VirtualBox to host a Linux machine.

Is there any open-source equivalent to things like Citrix's XenApp, VMWare's ThinApp, Microsoft's App-V, or independent tools like Sandboxie? http://alternativeto.net/software/sandboxie/

rufugee12y ago

We've been experimenting with Ulteo (http://ulteo.com/home/) as a possible alternative to XenApp.

rogahaOP12y ago

Sorry, but for now it's the only way to install it on Windows. Thanks for asking j_s.

mmgutz12y ago

But why Vagrant? It's an unnecessary dependency that requires installation of more stuff I don't use. Why not distribute a pre-built VBox image and torrent it?

jahewson12y ago

ThinApp, App-V, etc. are pretty much equivalent to a chroot jail on unix.

gcb012y ago

So, if I understood that correctly, it's just a virtual box image of ubuntu or debian that you run headlessly in a linux container (via docker) and then run a Xserver on your actual machine OS and connect to it via SSH with Xforward?

how is this any better than simply running virtualbox on your OS to begin with?

rogahaOP12y ago

Exactly. It's better because you can build that image anywhere where there is docker installed and it can be easily moved/upgraded and ready to run. But if you think only locally, then there is no much difference, despite that docker lighter and faster.

yebyen12y ago

Further, the VirtualBox instructions are only for Windows users, to get Linux installed (which is a requirement of Docker). You don't need VirtualBox at all. But if you don't have Linux, you can try this with VBox (it's a virtualization tech that nests safely inside of vbox... unlike say, virtualbox inside of virtualbox.)

2 more replies

willvarfar12y ago

Here's a recipe for using vnc to get pixels out of a docker:

http://stackoverflow.com/questions/16296753/can-you-run-gui-...

VaucGiaps12y ago

Linux != Debian

icebraining12y ago

The script is actually Ubuntu specific, not Debian (it uses Upstart).

j / k navigate · click thread line to collapse

80 comments

DannoHung12y ago

zobzu12y ago

DannoHung12y ago

Eventually, there may be some way to merge images together, though I imagine that will always be a little harry compared to a simple stack up.

Documentation is more than a little sparse right now, unfortunately. It took me a few days to figure out how all the pieces work together.

1 more reply

shykes12y ago

Docker does use lxc under the hood. They serve very different purposes.

lxc is a tool for sysadmins to deploy and configure virtual servers on their machines.

When you tinker long enough with lxc, eventually you start building something like docker on top of it, because it just makes sense. Now instead of reinventing the wheel you can just use docker.

FooBarWidget12y ago

rogahaOP12y ago

Great explanation! Thanks DannoHung

beachstartup12y ago

> root@host:~# curl http://get.docker.io | sh

No no no. Do NOT do this. Kids these days...

tlrobinson12y ago

Honest question: do you audit every line of code you ever download and execute?

WestCoastJustin12y ago

On my linux machines, generally, I'll only install software from trusted sources, say rpm repos or ubuntu sources. In this case, yes, I would review the source of this file before running it.

For example, I would notice that it requires apt-get

  echo "Ensuring basic dependencies are installed..."
  apt-get -qq update
  apt-get -qq install lxc wget bsdtar

Then it downloads some binary into /usr/local/bin, at this point, I'd probably configure a VM to review this further.

1 more reply

jlgreco12y ago

Why don't we just add "click to execute" to browsers while we are at it... /s

1 more reply

jol12y ago

I don't, but for install script one can look at least from where the stuff will come. if the download link was using ssl...

1 more reply

burke12y ago

How is this different, other than a graphical installer being completely unauditable, whereas curl|sh is quite trivially auditable? Both run code as root.

zobzu12y ago

Put your packages in signed repositories and start serving over https. Then people can even do apt-get install docker. yay.

1 more reply

beaumartinez12y ago

You can curl the URL and see what it is you'll be executing. You don't get that with an obscure binary you download from the web.

But the URL should be HTTPS.

Groxx12y ago

Of course, because binaries are incapable of doing the same thing as `curl x | sh`...

antocv12y ago

This also sucks because the scripts always assume some variant of Ubuntu or Debian. Um, no, thank you, damn hipsters.

slashdotdotorg12y ago

Exactly _what_ is your qualification for debian being lumped in with hipsters? Some of us have used it as the most rock solid STABLE linux distro for servers and desktops for quite a long time.

3 more replies

shykes12y ago

The website offers install instructions for several OSes: http://docs.docker.io/en/latest/installation/

mateuszf12y ago

On Arch Linux installation is as simple as chosen_aur_wrapper -S lxc-docker-git

throwaway204812y ago

drivebyacct2 you are hellbanned, time for drivebyacct3 i guess

rogahaOP12y ago

You can also install using this procedure: http://docs.docker.io/en/latest/installation/binaries/

txutxu12y ago

I think there is more danger in html5 dinamyc fonts, or more evil in a dns request, than an opensource project installer.

Of course, don't do this on your most beloved production machine, if you can package it properly, test it, etc

But rendering a font gives execution with your user, so don't be so afraid of a installer "you can read" and has an interesting purpose.

rsync12y ago

"But rendering a font gives execution with your user"

Would you point us to a reference, or a further explanation for this claim ? I am genuinely interested...

1 more reply

anonymoushn12y ago

This is how rvm's authors want you to install rvm :)

kawsper12y ago

rvm uses https, which is far better than plain http.

malandrew12y ago

Is there any tool to automate the introspection of curl pipes to warn of potentially malicious code that needs to be given further attention?

The usability of the curl pipe approach is here to stay, so the least we can do is help people be safe with it.

Anyone have other ideas for making curl pipes safer?

RodgerTheGreat12y ago

Well, detecting potentially malicious shell scripts is merely a matter of solving the halting problem...

Food for thought: http://www.cs.dartmouth.edu/~sergey/langsec/

1 more reply

jol12y ago

p.s. I know, that there should not be direct copy-paste from browser to console and this method leaves a file in /tmp on installation failure

darkarmani12y ago

> The usability of the curl pipe approach is here to stay, so the least we can do is help people be safe with it.

I don't think this is true. It's just going to take a very popular project getting their DNS hijacked before everyone wakes up.

Well, you are right about the usability part. That part is amazing. It's just that curl-pipe is not the answer.

rogahaOP12y ago

I have updated the blog post with a more secure way of installing docker.

sciurus12y ago

IMHO here's an even cooler hack-

http://blogs.gnome.org/alexl/2013/03/19/broadway-on-openshif...

http://blogs.gnome.org/alexl/2013/04/03/more-gtk-in-the-clou...

StavrosK12y ago

But... but... how?

ivansavz12y ago

This could be made VERY interesting if you also add an NX server in the mix. I find basic X11 connections via ssh to be rather laggy and unpleasant to use when the internet connection is not top.

    http://en.wikipedia.org/wiki/NX_technology

Unfortunately, the two open source projects which aimed to reproduce the NX functionality seem to have been abandoned.

    http://freenx.berlios.de/
    http://code.google.com/p/neatx/source/list

Is anyone using NX these days? Perhaps, people stopped developing these because they work well already?

sciurus12y ago

Take a look at xpra instead. The performance is much beter than X11 forwarding when you don't have a low latency connection.

http://xpra.org/

rogahaOP12y ago

Thanks for your reply! I tried xpra and it seems to be much better! It also fixed the issue with the keyboard messed-up on Mac OSX. I will publish an update on GitHub soon!

rogahaOP12y ago

Ok!

cpach12y ago

[1]: http://wiki.x2go.org/doku.php/start

morsch12y ago

rogahaOP12y ago

I didn't know NX! Thanks for suggesting it Ivan! I will try it !

alyandon12y ago

Give x2go a try first (it's based on nx). In my experience it has been far less fiddly than freenx or neatx.

1 more reply

jol12y ago

rogahaOP12y ago

Exactly. You can easily do that with Docker Desktop :)

j_s12y ago

I got excited when I saw the Windows installation instructions link, but that is just how to setup Vagrant with VirtualBox to host a Linux machine.

Is there any open-source equivalent to things like Citrix's XenApp, VMWare's ThinApp, Microsoft's App-V, or independent tools like Sandboxie? http://alternativeto.net/software/sandboxie/

rufugee12y ago

We've been experimenting with Ulteo (http://ulteo.com/home/) as a possible alternative to XenApp.

rogahaOP12y ago

Sorry, but for now it's the only way to install it on Windows. Thanks for asking j_s.

mmgutz12y ago

But why Vagrant? It's an unnecessary dependency that requires installation of more stuff I don't use. Why not distribute a pre-built VBox image and torrent it?

jahewson12y ago

ThinApp, App-V, etc. are pretty much equivalent to a chroot jail on unix.

gcb012y ago

how is this any better than simply running virtualbox on your OS to begin with?

rogahaOP12y ago

yebyen12y ago

2 more replies

willvarfar12y ago

Here's a recipe for using vnc to get pixels out of a docker:

http://stackoverflow.com/questions/16296753/can-you-run-gui-...

VaucGiaps12y ago

Linux != Debian

icebraining12y ago

The script is actually Ubuntu specific, not Debian (it uses Upstart).

j / k navigate · click thread line to collapse