Running Ubuntu desktop

[dualscyther]

Hi! First of all, thanks for making and maintaining this so actively!

I'm looking to essentially run a typical Ubuntu desktop experience inside a container. I plan to use the host as a home server to run all sorts of things (administrated via a TTY), but I only have the one physical computer, so I need to run my workstation too. I could just run it in a VM but I only have a single GPU so I don't have the option of passing it through to the VM, meaning I wouldn't be able to play games.

My Dockerfile is essentially just:

FROM ubuntu:20.04

RUN ln -fs /usr/share/zoneinfo/Australia/Sydney /etc/localtime
RUN apt-get update && \
    # some packages like tzdata install interactively by default
    DEBIAN_FRONTEND=noninteractive apt-get install -y ubuntu-desktop

# not sure if this is the right command to run if I want to start *everything*
CMD gnome-session

The plan is to switch (using ctrl + alt + f1-12) to the "host" TTY when I want to do things on the server, and use the container TTY for my daily activities like games, web browsing, video conferencing. I mainly want to isolate IPC, file system, and network (on the host I will not run a VPN, but I wish to run a VPN in the desktop environment in the container) but it does not need to be secure (I'm just looking to prevent accidents/buggy code from messing things up on the host) Ideally usb devices (like plugging in a flash drive) should "just work" and not require rebooting or switching TTYs to the host.

I also wonder if Ubuntu's Snap will have issues with installing things since it abuses loopback devices to do so.. but this is not a deal breaker, in fact, I don't even need to be running Snap or Ubuntu, any popular distro made to work "out of the box" (Debian, Fedora, etc) will do.

1. Is this even possible?
2. Will this fit my use case?
3. Am I better off just defining a Dockerfile and a bare Docker command without x11docker for my use case? x11docker is essentially just (a very convenient) Docker command generator right?

[mviereck]

Overall this is possible.

Some points can cause issues:

• I discourage to use the Gnome desktop. It is very unstable in unusual environments. I provide an experimental image x11docker/gnome. But for stability I rather recommend e.g. Xfce, LXDE, Mate, or even KDE. I provide several desktop images that you can use as a base, see https://github.com/mviereck/x11docker#desktop-environments.
• Hot plugging USB devices does not work ootb. I would have to check out how/if that is possible with an unprivileged container. One attempt could be configuring the host to auto-mount USB devices in a folder like /mnt and to share /mnt with the container.
• If you run multiple graphical ttys, be careful with tty switching. There is an issue (in Xorg?) that can cause crashes of Xorg during a tty switch. Always switch to a "black" tty before switching to a graphical tty.

I also wonder if Ubuntu's Snap will have issues with installing things

If you have Ubuntu on your host, do not use snap to install Docker but use apt instead. snap causes some restrictions to Docker. x11docker can handle that, but at the cost of some security setup. In container snap likely fails at all because it uses some containerization features that it would miss in a container.

Am I better off just defining a Dockerfile and a bare Docker command without x11docker for my use case? x11docker is essentially just (a very convenient) Docker command generator right?

You can set up your own Xorg and Docker command, of course. The x11docker wiki might help you. x11docker wraps Xorg and Docker and makes it convenient to just run it. x11docker does several setup in background that can spare you some work and some issues. For example, it automatically sets the time zone in container to the same as on host; you did this manually in the Dockerfile.

[dualscyther]

Wow, thanks for replying so quickly :) I did see x11docker/gnome and used it as a reference, but I realised that apt installing the ubuntu-desktop package already installs everything in the x11docker/gnome image.

I would have to check out how/if that is possible with an unprivileged container

A privileged container would be fine. Would that allow hot plugging USB devices ootb? Alternatively, maybe I could just mount /dev? I would prefer to blacklist certain devices (specifically, my hard disks) but it's not a huge issue. I'm not sure if Docker lets you allow everything but then exclude certain devices.

One attempt could be configuring the host to auto-mount USB devices in a folder

That also sounds like a good plan in case I can't get things working 👍

If you run multiple graphical ttys, be careful with tty switching

My activity on the host would use a text tty, it's only the container that would require a graphical tty, so this shouldn't be a problem I assume?

In container snap likely fails at all because it uses some containerization features that it would miss in a container.

Thanks, that's what I thought. Do you know what features it would be missing? Would --privileged fix this?

[mviereck]

A privileged container would be fine. Would that allow hot plugging USB devices ootb? Alternatively, maybe I could just mount /dev? I would prefer to blacklist certain devices (specifically, my hard disks) but it's not a huge issue. I'm not sure if Docker lets you allow everything but then exclude certain devices.

Be careful with giving privileges.

• Many setups use --privileged to solve all problems. But this essentially disables all containerization except the file system. I call those "failed setups".
• mount within a container needs --cap-add=SYS_ADMIN. This is nearly root equivalent and should not be used.
• Sharing entire /dev but blacklisting some devices does not work.
• USB devices appear as /dev/sdX, so you would need entire /dev.
• auto-mount in container likely needs --cap-add=SYS_ADMIN, --init=systemd, --share /dev and maybe --share /run/udev/data:ro and --cap-default.
• It is better the host does the mount work.

It is also difficult to access audio CDs and DVDs. Compare ehough/docker-kodi#32

My activity on the host would use a text tty, it's only the container that would require a graphical tty, so this shouldn't be a problem I assume?

This setup is fine.

Thanks, that's what I thought. Do you know what features it would be missing? Would --privileged fix this?

--privileged might fix that. But you would loose all security and add complexity. I don't exactly know which privileges are needed for snap. At least it will be SYS_ADMIN to mount the file system, maybe also NET_ADMIN for network setup.

[dualscyther]

Sounds like automatically mounting from the host is the way to go if I don't use --privileged. I think this means that hot plugging a mouse or keyboard won't work? It's not a big issue since usually I will leave those plugged. Again, security against intentionally malicious applications is not a concern, so I'm okay with using --privileged if it will fix all of my problems.

Just as a test I managed to boot my docker image with ubuntu-desktop installed and the Gnome settings app works. Unfortunately, I can't figure out how to run NetworkManager inside the container. I assume this is because the wifi/ethernet/bluetooth controllers are not passed through? It'd be great if I could get my bluetooth headphones working inside the container too, rather than having to pair from the host.

[mviereck]

I think this means that hot plugging a mouse or keyboard won't work?

That should work. Keyboard and mouse are managed by Xorg (maybe with some host udev magic, too). x11docker runs X on the host, so the X input devices will work.

Again, security against intentionally malicious applications is not a concern, so I'm okay with using --privileged if it will fix all of my problems.

Initially you said:

I mainly want to isolate IPC, file system, and network

with --privileged you loose IPC and network namespacing.

Unfortunately, I can't figure out how to run NetworkManager inside the container. I assume this is because the wifi/ethernet/bluetooth controllers are not passed through?

Docker handles the network access for the container; I am not familiar with the details.
I'd say it is better to give this job to the host.

It'd be great if I could get my bluetooth headphones working inside the container too, rather than having to pair from the host.

I have close to no experience with bluetooth. Sorry, I have no direct idea about this. Sharing bluetooth device files in /dev might help.

Overall, for some things that need interaction with the host (maybe bluetooth pairing, too) it might help you to run a host terminal on the X server alongside the container applications. You can use e.g. --runfromhost "xfce4-terminal &" to get a host terminal. So you would not need to switch tty for some commands on host.

[dualscyther]

with --privileged you loose IPC and network namespacing.

Yep, ideally I'd have all 3 but file system is the most important one.

Thank you so much, this has been really comprehensive help and I appreciate it!