Skip to content

Protecting my data and client's data, by running day-to-day apps inside Docker containers

License

Notifications You must be signed in to change notification settings

Bartmr/docker-workspaces

Repository files navigation

Some of my day-to-day software, in Docker containers

After knowing that saved Chrome passwords and cookies in Linux are not protected against malicious dependencies in our development environment or other apps in our system, I decided to run my core apps in Docker containers, where their data is not accessible without sudo, and a personal understanding of where stuff is being saved.

Contrary to https://github.com/jessfraz/dockerfiles/, docker-workspaces:

  • runs Chrome in a sandbox
  • encrypts passwords and cookies with the help of an also dockerized gnome-keychain
  • works with your headphones

Development

Practices

  • Enable the sudo command in the containers so you can easily update the software in the containers with sudo apt update && sudo apt upgrade, while using said software and not needing to rebuild and restart the container.
  • Always use a non-root user as early as possible in Dockerfile.
    • Make sure all Docker containers run with a non-root user
  • Try to use Docker base images based on the host operating system
    • Example: if you use Ubuntu 22.04, you should use FROM ubuntu:22.04 in your Dockerfiles

Useful snippets

  • Upgrade all packages without rebuilding the whole image and any base images that it uses

    ARG CACHEBUST
    RUN echo "cache bust $CACHEBUST"
    
    RUN apt-get update && apt-get upgrade -y --no-install-recommends
    
  • Set timezone inside container

    • Dockerfile
      ARG TZ
      ENV TZ=$TZ
      RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
      RUN apt-get install -y tzdata
      
    • When running the docker container
      -v /etc/timezone:/etc/timezone:ro
      -v /etc/localtime:/etc/localtime:ro
      
    • Before starting the software inside the docker container
      export TZ=$(cat /etc/timezone)
      
  • Add sudo to container

    • add final user to sudo group
    • set it's password
      RUN echo "user:password" | chpasswd
      

Links

To think about

  • Using X11 in Mac

    1. Install XQuartz brew install xquartz
    2. Install socat brew install socat
    3. open -a XQuartz and make sure you "Allow connections from network clients" (in XQuartz > Preferences... > Security)
    4. Now add the IP using Xhost with: xhost + 127.0.0.1 or xhost + $(ipconfig getifaddr en0)
    5. Start socat socat TCP-LISTEN:6000,reuseaddr,fork UNIX-CLIENT:\"$DISPLAY\"
    6. Start up Ghidra
    $ docker run --init -it --rm \
                --name ghidra \
                --cpus 2 \
                --memory 4g \
                -e MAXMEM=4G \
                -e DISPLAY=host.docker.internal:0 \
                -v /path/to/samples:/samples \
                -v /path/to/projects:/root \
                blacktop/ghidra

About

Protecting my data and client's data, by running day-to-day apps inside Docker containers

Topics

Resources

License

Stars

Watchers

Forks