Skip to content(if available)orjump to list(if available)

How to run GUI applications directly in containers

wmf

I don't want to be negative but Flatpak is a container runtime specifically designed for GUI apps and Docker isn't.

razemio

I think this depends on your use case. As a dev I would take dockerized gui applications over flatpak all day, as it allows me to quickly add additional packages and networking for example. The possibilities would be endless while all can reside in a small docker-compose stack right in the repository.

kccqzy

Your perspective is understandable. When you say "as a dev" it sounds like you really want to be a docker dev but not a flatpak dev: you are used to writing docker files and docker-compose files but you are not interested in writing flatpak apps. That's okay because docker is focused on developers whereas flatpak is more user-centric.

mariusor

You can always build your own flatpak image with whatever else you need. I think the only thing you're losing is the layered architecture of OSI images.

dnndndej

But doesn't flatpack offer much deeper system Integration by default? Like being able to access the home directory by default and being able to talk to dbus?

To me flatpack looks like a way achieve application compatibility not security

TingPing

By default a flatpak has no permissions. It exposes ways to add permissions both statically and dynamically. So security varies.

dylan-m

Another thing to look at is bubblewrap (https://github.com/containers/bubblewrap), which is what implements the sandboxing in Flatpak. It's handy if you want to run a command from your host in a particular sandbox as kind of a one-off, or if you just want to understand more about how that sandboxing works :)

ximm

This is a nicely written description of some of the things that flatpak does under the hood for people who know docker. Of course, flatpak does a lot more (e.g. filtered dbus access).

I personally think that flatpak is not the end of history and we should continue to experiment with different approaches.

colonial

I configure all my development containers to mount my host's Wayland socket. It mostly Just Works, and obviates the need to do any shell shuffling if I need to run something with a graphical component.

It's also occasionally convenient if I need to run a GUI app written in (say) Java that requires a zillion megabytes of JVM dependencies - just spin up an ephemeral container that makes everything disappear on CTRL-D.

Pet_Ant

This is a case where the original X11 client server model would make perfect sense.

number6

Yes, exactly my thought, why not connect to the X11 server

codetrotter

I like that part of X11, but a lot of software now uses Wayland.

art0rz

> The source of the GUI application is untrusted, or its safety is uncertain.

Afaik Docker doesn't promise security

lotharcable2

This is correct.

I think it may add a bit of security, but containers are better thought of as mechanism to deploy and manage applications/services.

They can be useful as part of a security posture, but you kinda have to wrap everything up in SELinux or as part of some other system. Which is a lot easier to do with containers then it is to do with normal applications.

Also for most purposes:

If you want to integrate container applications into your desktop you'd be better off with something like Flatpak or distrobox/toolbx.

there are lots of things that these applications do to setup the environment and integrate into your home directory that isn't going to be done with simple scripts like this.

That doesn't mean that these scripts are useless, of course. I you want to run a application with more isolation and less integration then it is a lot easier to do it this way then with something like distrobox.

Like if you don't want to give a application access to your home directory. Or want to emulate a container environment for the cloud locally so you can hack on it.

diggan

Even if it did, if you end up connecting your GPU, display manager, dbus, pipewire and a bunch of other devices to the untrusted application, you would kind of lose out on it anyways.

Only benefit I can see here is the separation of the filesystems, but there are easier and simpler ways than docker to do that.

mmh0000

I'll agree that "Docker" has a history of "interesting" security practices.

But the core technologies underlying containers: Namespaces, cgroups, POSIX Capabilties, and SELinux. "Should" provide a level of isolation equivalent to a virtual machine[1].

If you're using a decent container platform like Podman, you should feel relatively good about the application's security and isolation.

[1] https://www.redhat.com/en/blog/how-selinux-separates-contain...

nightski

Not promising is not the same as offering none. I don't think any technology solution "promises" when it comes to security.

yegle

The linuxserver.io packaged a couple popular GUI apps in container, e.g. Calibre.

The container packages a VNC server, and you can access the container using a webVNC.

This seems like a great solution for non-GPU-intensive GUI apps.

codetrotter

I remember having to do something similar when I was running a Debian chroot on an Android phone on one of the early Android phones.

Haven’t stuck around so I don’t know if VNC is still common to use locally on Android when you want to run other Linux distros with graphical environments on your device.

It worked but having to rely on VNC for something that is local on the same machine never felt great to me. Same when I VNC into a VM on the same host. It just feels a bit wrong to me to have to use VNC. It works and I do it sometimes for VMs on my computer, but I don’t like it.

The cool people do things like PCI passthrough. But I don’t have an extra graphics card and I haven’t looked much at the details of PCI passthrough anyways. Seems like a lot of effort also.

I do like X11 forwarding. I don’t know what to do for Wayland when it’s a VM.

mg

Is this solution different from just executing this:

    docker run -it --rm -e DISPLAY --net=host -v $XAUTHORITY:/root/.Xauthority -v /tmp/.X11-unix:/tmp/.X11-unix debian:12-slim
And then run the GUI app in the container? For example for Firefox:

    apt update
    apt install firefox-esr
    firefox
That is an approach I sometimes use to try GUI applications in a Docker container.

ElijahLynn

The approach uses Wayland and Pipewire.

> When you start a container instance, all you need to do is map the host's Wayland socket and PipeWire socket files into the container, and then set the appropriate environment variables within the container to enable running GUI applications.

dnndndej

Isn't this working just for X11?

yjftsjthsd-h

Should also work with xwayland, but yes.

yjftsjthsd-h

Curious that there's no comparison to https://github.com/mviereck/x11docker , which I would describe as the incumbent in this space.

pronoiac

I've run an X app from Docker, a Linux container on a macOS host. I was able to move the incantations to a Makefile: https://github.com/ryanfb/docker_scantailor

Jotalea

I wonder what are the limitations of this.

- can it run games?

- can it use desktop environments or window managers like KDE or Hyprland?

- how much does it affect performance?

edit: fixed lines

jbverschoor

Using x11 :) the concept is nice, and could help isolate much more elegant than qubes for example.

But the protocol sucks I’ve heard

yjftsjthsd-h

? This is explicitly wayland, not x11. And x11 isn't likely to give you very good isolation unless you jump through hoops.

ElijahLynn

This only works on Linux systems. No Mac, fwiw.

wmf

Containers don't exist on Mac so yeah.

null

[deleted]