Docker Desktop: Your Desktop over ssh inside of a Docker container
blog.docker.ioIf you're sort of confused as to what advantage there is to this way of doing things over just running a VM in VirtualBox or using Vagrant, you probably aren't yet aware of what the Docker project is doing.
It's creating the VirtualBox of Linux Containers. Docker image files are extremely light weight when compared to VirtualBox images and use Union File systems to allow for complete isolation rather than using VM volumes.
An example scenario for when you'd want something like this is if you want to load an experimental library for a specific application that some part of your system depends on the stability of. Fire up a docker image for just that application with the experimental library replacing the stable library and just the applications inside the docker image will see it. No need to even play around with library versions or links. And since the Docker images are so light weight and incur extremely little performance penalty (I think it is limited to just the cost of using the Union FS over your normal FS), you can do this for dozens of scenarios at once.
I'm confused with the advantage over "pure" LXC and a couple of scripts for the mounts, what does it provides for this kind of usage? Or is it not using LXC and basically implements its own interface to the Linux namespaces? (that'd be actually cool... :P)
Docker combines LXC along with a few other isolation and security technologies. What the Docker maintainers are also doing is setting up a system for distributing LXC based images. Beyond this, since Docker works with these union file systems, it also lets you build on top of other images.
Eventually, there may be some way to merge images together, though I imagine that will always be a little harry compared to a simple stack up.
Documentation is more than a little sparse right now, unfortunately. It took me a few days to figure out how all the pieces work together.
Can you be specific about the other security methodologies docker rolls in? Everywhere I read, people say "LXC != VM-level security," specifically, I hear that root on the container means root on the host. These suse guys at least say "If you want to be secure, kvm is still your answer." : http://unixcal.com/s/a4mn . Thoughts?
Root on the container doesn't mean root on the host. Machine-level virtualization has received more scrutiny than LXC, so as of today, many people consider traditional VMs to be more secure. But KVM or Xen are not intrinsically more secure than LXC or OpenVZ. They all have their histories of exploits and privilege escalations.
One key thing is, that it makes sense to run containers without root privileges (greatly improving security), while it is much harder to realistically run a VM without root processes. As a result, it could be said that containers are much safer, because before even thinking about breaking out of the container, you have to work on a root exploit - on a system which, by essence, only runs the processes that you really need, and has a much smaller attack surface.
We're working on a more elaborated answer, to be included within Docker docs!
Docker does use lxc under the hood. They serve very different purposes.
lxc is a tool for sysadmins to deploy and configure virtual servers on their machines.
docker is a tool for developers to package their application into a deployable object without worrying about how the sysadmin will deploy it, and for sysadmins to deploy applications without worrying about how they were packaged.
When you tinker long enough with lxc, eventually you start building something like docker on top of it, because it just makes sense. Now instead of reinventing the wheel you can just use docker.
It's a wrapper around LXC (and a couple other things) to make it usable for mere humans. With LXC there's still too much low-level fiddling work to do. Docker provides everything you need to create and use containers easily and quickly. It downloads images for you. It creates bind mounts for you. It sets up networking in the container for you. It sets up certain IP forwarding rules for you. Etcetera.
Great explanation! Thanks DannoHung
> root@host:~# curl http://get.docker.io | sh
No no no. Do NOT do this. Kids these days...
Honest question: do you audit every line of code you ever download and execute?
Edit: Ironically Docker itself has the potential to help solve the problem of running untrusted open source code. I think every open source project should include either a Dockerfile or Vagrantfile to help users get up and running quickly, and safely run untrusted projects.
On my linux machines, generally, I'll only install software from trusted sources, say rpm repos or ubuntu sources. In this case, yes, I would review the source of this file before running it.
For example, I would notice that it requires apt-get
Then it downloads some binary into /usr/local/bin, at this point, I'd probably configure a VM to review this further.echo "Ensuring basic dependencies are installed..." apt-get -qq update apt-get -qq install lxc wget bsdtarBut would you review the source of Docker too?
I think I get where you're going with this, in that, the burden to run this and review the source is too high, that it almost seems like a waste of time. If that is your point, then I agree with you.
I don't know much about docker, but doing a "curl | sh" peeks my interest, then downloading additional binaries into /usr/local/bin, I'd want to take a closer look. Obviously, this is a case by case review, till it sits well with me. If I was going to run this in production, I'd want to have a really good idea of what this was doing and what to expect, so I'd probably take a closer look at the source if it was not clear from the documentation.
Completely non-judgmentally, it's piques my interest, so you can spell it right next time. (I have the opposite problem: I spell things right and say them wrong.)
I met someone who pronounced "queue" as "kway", as in "I need to go clear my mail kway".
That is all.
Do you reverse engineer your CPU's schematics?
This can go on pretty far - trust is always an eventually unsolvable issue.
There is a certain level of trust that is easy to achieve and easy to get. Trusting dotcloud is easier than trusting everyone on the internet is pink bunny. Happens to be that HTTPS and signing aren't exactly hard either ;-)
Why don't we just add "click to execute" to browsers while we are at it... /s
Because people who use command lines / open source software generally have better judgement about this sort of thing than the average user?
You either have to trust Docker (a fairly well known project built by reputable people) isn't going to root your machine, or download the source yourself and audit it.
This is no worse than suggesting you "git clone whatever; cd whatever; make" (aside from the lack of SSL)
> You either have to trust Docker
...and everybody else on my network, with that method. Doing that I don't even get the chance to think "Hey wait a second, why was this only 50 bytes of shell script...".
The reason that you see outrage for this "method" is because it is born of laziness and far too reminiscent of more disturbing times in computer security.
The original poster didn't say his issue was with the lack of HTTPS so I assumed he doesn't approve of this technique in general, but yes, I agree HTTPS should be used.
> Because people who use command lines / open source software generally have better judgement about this sort of thing
Why do we need an instruction on downloading the source to begin with? It really just promotes bad habits with those who know no better, i.e. new/inexperienced developers. The problem is when people see instructions like that on 20% of the guides they read in earnest, trusting that everything is OK if enough people say it. One hopes they stumble upon a discussion like this so that they can consider the consequences but that just isn't going to happen to everyone. True, one should exercise equal caution while cloning, gem-ing[1], etc. It would be great if authors would just link to the source and paste the relevant lines from the README if necessary.
[1] http://andre.arko.net/2013/03/29/rubygems-openssl-and-you/
I don't, but for install script one can look at least from where the stuff will come. if the download link was using ssl...
I agree, they should use SSL (and don't use a URL shortener, which they don't, but I've seen before).
Ideally it would download a file from Github too, that way you can be sure it's coming straight from the publicly visible open source repo, and you can audit if you want.
But I think the general outrage over this technique is overblown.
One alternative would be a graphical installer that asks for your root password. It would very likely also be served over unencrypted HTTP. This happens all the time, and HN never calls anyone out on it.
How is this different, other than a graphical installer being completely unauditable, whereas curl|sh is quite trivially auditable? Both run code as root.
Put your packages in signed repositories and start serving over https. Then people can even do apt-get install docker. yay.
Actually, this: https://launchpad.net/~dotcloud/+archive/lxc-docker
You can curl the URL and see what it is you'll be executing. You don't get that with an obscure binary you download from the web.
But the URL should be HTTPS.
Of course, because binaries are incapable of doing the same thing as `curl x | sh`...
This also sucks because the scripts always assume some variant of Ubuntu or Debian. Um, no, thank you, damn hipsters.
Exactly _what_ is your qualification for debian being lumped in with hipsters? Some of us have used it as the most rock solid STABLE linux distro for servers and desktops for quite a long time.
He's an avid Yggdrasil user.
As an aside, I miss some of the raw diversity that was present in the old Linux distros. Slackware was my drug of choice due to its steadfastly BSD flavor. I guess Slackware is still around, but have no idea what its status is and whether Patrick ever moved it over to system v-ish convention in order to be more like other Linux distros. I guess that distinction is even a bit anachronistic given all the fancy changes to the way init is done nowadays.
I apologize to Debian users. Respect.
I have debian bo on vinyl.
The website offers install instructions for several OSes: http://docs.docker.io/en/latest/installation/
On Arch Linux installation is as simple as chosen_aur_wrapper -S lxc-docker-git
drivebyacct2 you are hellbanned, time for drivebyacct3 i guess
You can also install using this procedure: http://docs.docker.io/en/latest/installation/binaries/
I think there is more danger in html5 dinamyc fonts, or more evil in a dns request, than an opensource project installer.
Of course, don't do this on your most beloved production machine, if you can package it properly, test it, etc
But rendering a font gives execution with your user, so don't be so afraid of a installer "you can read" and has an interesting purpose.
"But rendering a font gives execution with your user"
Would you point us to a reference, or a further explanation for this claim ? I am genuinely interested...
Sure, it was just an example...
This is how rvm's authors want you to install rvm :)
rvm uses https, which is far better than plain http.
Is there any tool to automate the introspection of curl pipes to warn of potentially malicious code that needs to be given further attention?
The usability of the curl pipe approach is here to stay, so the least we can do is help people be safe with it.
Anyone have other ideas for making curl pipes safer?
Well, detecting potentially malicious shell scripts is merely a matter of solving the halting problem...
Food for thought: http://www.cs.dartmouth.edu/~sergey/langsec/
Would there be any benefit in creating a VM on the fly, running the shell script in the VM and there reporting back on what was modified by the shell script. If all goes well, I reckon you can then safely run the script on the host machine.
Even if you can be bothered to semi-manually audit the changes a script applies to the VM and can afford the time and space overheads of such a "guess-and-check" approach, a malicious server could send you a different script the second time you requested it, or the script could in turn pull down other payloads differently the second time it executed. If you try to extract a diff of the changes applied to the VM and then reapply it to your host machine to ensure the behavior is the same, why not simply have an installer system which behaves in a more restricted way to begin with? The root of the problem is that shell scripts fetched from remote servers are far too flexible to be 'safe'.
Or... use Docker!
Seriously, Docker is perfect for creating a sandbox with all dependencies to help new users get up and running quickly and safely. Every project should come with a Dockerfile and/or Vagrantfile.
... except when someone writes a script that guesses (or reliably detects, depending on container technology) whether it's running in a VM/container and acts differently then. Or if it only acts maliciously say, one out of five times ("old school" viruses would often do that - destroy your floppies sometimes, but most of the time just spread).
Sounds like a great application of Docker, come to think of it. I'm sure it's quite possible to spin up a new docker VM from a shell script and do exactly that.
Hm, the only problem is installing Docker in the first place ...
We're working on a few things that will make that much easier :)
I am not very good at unix command line, but maybe it could be done like this: curl http://get.docker.io > /tmp/docker-install && sh /tmp/docker-install && rm /tmp/docker-install that gives quick and easy way to inspect by executing only first command and then inspecting the source, i.e., 1) copy just first part curl http://get.docker.io > /tmp/docker-install 2) then inspect, e.g. cat /tmp/docker-install 3) run the install sh /tmp/docker-install && rm /tmp/docker-install or, if not reviewing run whole at once
p.s. I know, that there should not be direct copy-paste from browser to console and this method leaves a file in /tmp on installation failure
> The usability of the curl pipe approach is here to stay, so the least we can do is help people be safe with it.
I don't think this is true. It's just going to take a very popular project getting their DNS hijacked before everyone wakes up.
Well, you are right about the usability part. That part is amazing. It's just that curl-pipe is not the answer.
I have updated the blog post with a more secure way of installing docker.
IMHO here's an even cooler hack-
Gtk+, the widget toolkit used to develop GNOME and many free software applications, supports rendering applications via HTML5. One of the developers has demonstrated using it to run desktop applications on OpenShift, Red Hat's PaaS, that you then access via your web browser.
http://blogs.gnome.org/alexl/2013/03/19/broadway-on-openshif...
http://blogs.gnome.org/alexl/2013/04/03/more-gtk-in-the-clou...
But... but... how?
This could be made VERY interesting if you also add an NX server in the mix. I find basic X11 connections via ssh to be rather laggy and unpleasant to use when the internet connection is not top.
The idea behind NX is to "fake" an X client on the server side and fake a NX server on the client side. This reduces the number of roundtrips required for each action. The improved responsiveness is dramatic -- even on a low speed and high-latency link, using the remote desktop feels like a local machine...
http://en.wikipedia.org/wiki/NX_technology
http://freenx.berlios.de/
http://code.google.com/p/neatx/source/list
Take a look at xpra instead. The performance is much beter than X11 forwarding when you don't have a low latency connection.
Thanks for your reply! I tried xpra and it seems to be much better! It also fixed the issue with the keyboard messed-up on Mac OSX. I will publish an update on GitHub soon!
Ok!
X2Go[1] is under active development and to my understanding it's based on NX libraries. It might be a good alternative. I have only tried it briefly and not over WAN, but it worked quite good over WLAN at least.
We're using NX/x2go for working from home or, sometimes but fortunately not too often, less likely remote places such as weekend holiday places. It does work well. I wouldn't go as far as saying it feels like a local machine, and it's not as responsive as regular X over a fast LAN, either. But it's very usable.
I didn't know NX! Thanks for suggesting it Ivan! I will try it !
Give x2go a try first (it's based on nx). In my experience it has been far less fiddly than freenx or neatx.
Ok. I will! It seems to be more up to date. Thanks
I can see usig this to get perfectly replicable, easy to upgrade/rollback and movable works environment - for both local and remote use. I.e., use locally on powerfull machine or rdp to closest powerful machine you can access from slow device. Or have several workspaces similar to virtual desktops for multiple projects...
Exactly. You can easily do that with Docker Desktop :)
I got excited when I saw the Windows installation instructions link, but that is just how to setup Vagrant with VirtualBox to host a Linux machine.
Is there any open-source equivalent to things like Citrix's XenApp, VMWare's ThinApp, Microsoft's App-V, or independent tools like Sandboxie? http://alternativeto.net/software/sandboxie/
We've been experimenting with Ulteo (http://ulteo.com/home/) as a possible alternative to XenApp.
Sorry, but for now it's the only way to install it on Windows. Thanks for asking j_s.
But why Vagrant? It's an unnecessary dependency that requires installation of more stuff I don't use. Why not distribute a pre-built VBox image and torrent it?
ThinApp, App-V, etc. are pretty much equivalent to a chroot jail on unix.
So, if I understood that correctly, it's just a virtual box image of ubuntu or debian that you run headlessly in a linux container (via docker) and then run a Xserver on your actual machine OS and connect to it via SSH with Xforward?
how is this any better than simply running virtualbox on your OS to begin with?
Exactly. It's better because you can build that image anywhere where there is docker installed and it can be easily moved/upgraded and ready to run. But if you think only locally, then there is no much difference, despite that docker lighter and faster.
Further, the VirtualBox instructions are only for Windows users, to get Linux installed (which is a requirement of Docker). You don't need VirtualBox at all. But if you don't have Linux, you can try this with VBox (it's a virtualization tech that nests safely inside of vbox... unlike say, virtualbox inside of virtualbox.)
if i already have linux installed i can carry fat binaries and a kernel for chroot'ing an environment. all in a tar file... I think this is just new way kids does common things of yesterday. or maybe linux containers kicks chroot a in performance?
to me it's not about performance... it's about rigorous isolation. LXC is like FreeBSD jails, though there are things you can do with the cgroup namespace stuff now that are impossible using jails... eg. disk io accounting.
in a jail, one user who attempts to monopolize disk io will succeed. in a cgroup, he can be restricted to exactly 10% of available i/o bandwidth, so you can guarantee that he doesn't starve the other containers.
there are also easy and documented ways to break out of a chroot if you are able to obtain root in the chroot. those holes are plugged by lxc and docker. Most notably, access to devices can be restricted.
I don't know what you mean by "carry fat binaries and a kernel for chrooting an environment" -- you don't need a separate kernel for chroot, any more than you need a separate kernel for docker. There's no advantage to static linked binaries (fat binaries?) when you can put the storage of your containers in a zpool or btrfs with deduplification. Same as your chroots.
Try out docker. Read about cgroups. I first gave LXC a try a few years ago and I was really sad about the extent of support for creating guests and keeping them properly isolated. It was really not friendly at all. You basically had to commit to using kernel patches that made your system pretty unusable as a desktop. (Was that xen dom0 or lxc?)
Everyone was saying, "Ohh, LXC is no better than a chroot." It's insecure, easy to break yourself out. Not so much anymore, with the current state of Docker you don't even have to know all the advances in cgroup and namespaces.
It's worth a look. Really, go check it out.
And for Mac users.
Here's a recipe for using vnc to get pixels out of a docker:
http://stackoverflow.com/questions/16296753/can-you-run-gui-...
Linux != Debian
The script is actually Ubuntu specific, not Debian (it uses Upstart).