After knowing that saved Chrome passwords and cookies in Linux are not protected against malicious dependencies in our development environment or other apps in our system, I decided to run my core apps in Docker containers, where their data is not accessible without sudo, and a personal understanding of where stuff is being saved.
Contrary to https://github.com/jessfraz/dockerfiles/, docker-workspaces:
- runs Chrome in a sandbox
- encrypts passwords and cookies with the help of an also dockerized gnome-keychain
- works with your headphones
- Enable the
sudo
command in the containers so you can easily update the software in the containers withsudo apt update && sudo apt upgrade
, while using said software and not needing to rebuild and restart the container. - Always use a non-root user as early as possible in Dockerfile.
- Make sure all Docker containers run with a non-root user
- Try to use Docker base images based on the host operating system
- Example: if you use Ubuntu 22.04, you should use
FROM ubuntu:22.04
in your Dockerfiles
- Example: if you use Ubuntu 22.04, you should use
-
Upgrade all packages without rebuilding the whole image and any base images that it uses
ARG CACHEBUST RUN echo "cache bust $CACHEBUST" RUN apt-get update && apt-get upgrade -y --no-install-recommends
-
Set timezone inside container
- Dockerfile
ARG TZ ENV TZ=$TZ RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone RUN apt-get install -y tzdata
- When running the docker container
-v /etc/timezone:/etc/timezone:ro -v /etc/localtime:/etc/localtime:ro
- Before starting the software inside the docker container
export TZ=$(cat /etc/timezone)
- Dockerfile
-
Add
sudo
to container- add final user to
sudo
group - set it's password
RUN echo "user:password" | chpasswd
- add final user to
- Using dynamically created devices (--device-cgroup-rule)
- Access an NVIDIA GPU
- https://blog.jessfraz.com/post/docker-containers-on-the-desktop/
- https://docs.docker.com/engine/reference/builder/#buildkit
- https://leimao.github.io/blog/Docker-Container-Audio/
- https://github.com/docker/buildx
-
Using X11 in Mac
- Install XQuartz
brew install xquartz
- Install socat
brew install socat
open -a XQuartz
and make sure you "Allow connections from network clients" (in XQuartz > Preferences... > Security)- Now add the IP using Xhost with:
xhost + 127.0.0.1
orxhost + $(ipconfig getifaddr en0)
- Start socat
socat TCP-LISTEN:6000,reuseaddr,fork UNIX-CLIENT:\"$DISPLAY\"
- Start up Ghidra
$ docker run --init -it --rm \ --name ghidra \ --cpus 2 \ --memory 4g \ -e MAXMEM=4G \ -e DISPLAY=host.docker.internal:0 \ -v /path/to/samples:/samples \ -v /path/to/projects:/root \ blacktop/ghidra
- Install XQuartz