Mind you, if you're a webdev or a desktop hacker, this would be a good way to launch various hacked versions of Firefox without messing with the browser you need every day. There's four basic steps here:
- build a Firefox image
- authorize X11 connections from containers
- enable Firefox connections in SELinux
- run the container
#!/bin/bash
FROM fedora
# install firefox
RUN dnf install -y firefox
# install dependancies
RUN dnf install -y libcanberra-gtk3 PackageKit-gtk3-module \
dbus dbus-devel dbus-x11
RUN dbus-uuidgen --ensure
# make uid and gid match inside and outside the container
# replace 1000 with your gid/uid, find them by running
# the id command
RUN export uid=1000 gid=1000 && \
mkdir -p /home/firefox && \
echo "firefox:x:${uid}:${gid}:Developer,,,:/home/firefox:/bin/bash" >> /etc/passwd && \
echo "firefox:x:${uid}:" >> /etc/group && \
echo "firefox ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
chmod 0440 /etc/sudoers && \
chown ${uid}:${gid} -R /home/firefox
#remove cache from the image to shrink it a bit
RUN dnf clean all
# set up and run firefox
USER firefox
ENV HOME /home/firefox
CMD /usr/bin/firefox -no-remote
Then you can build your image by running:
docker build -t username/firefox .
Next we need to make sure that the docker container is allowed to run X11 apps on your desktop machine, so that Firefox can run inside the container but be displayed on your desktop. This is a simple command, allowing anyone on localhost to run X apps:
xhost + 127.0.0.1
Thirdly we'll need to also make that work with SELinux. The simplest way to do this is to try it, have SELinux block, and then enable it. So try launching the Firefox container with the command in the step below. It should fail with some kind of "could not connect to display" error. Then run these commands, as root:
grep firefox /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
Finally, your Firefox container should be ready to go. Except you need to add some flags, due to the need to share the X11 socket between the container and the desktop. Here's what I use:
docker run -it -e DISPLAY --net=host jberkus/firefox
This should bring up Firefox in a window on your desktop, under a profile and cache which exists only in the container. If you want to always dispose of this Firefox without saving anything, add an --rm flag to the above.
If you don't want to paste all of the above from a blog (and really, who does?) I've put up some scripts on Github.
Now, if only I could figure out why fonts aren't rendering correctly in Firefox run this way. Ideas?
No comments:
Post a Comment