How to Safely Test Desktop Applications in a Secure Container With Docker
Pinterest Stumbleupon Whatsapp
Advertisement

Docker is a “container” platform, which allows applications to be run in their own sandboxed world. These applications share resources, e.g. things like hard drive space or RAM, but otherwise can’t interfere with programs running on the host system. For corporate servers this means an attacker may not be able to use a compromised web server to get at the database holding customer data.

For the desktop user, it means the bleeding-edge app you’re trying out can’t accidentally delete all your cat’s selfies.

Pros and Cons of Using Docker

There are several good reasons to try out new programs via Docker, including the following:

  • They are safely isolated from your system, without the means to do damage in most cases.
  • Docker containers have a mechanism to keep them up-to-date, meaning it’s easy to make sure you have the latest and greatest versions.
  • You’re not installing anything on your “real” system, so you won’t run into conflicts with your “regular” versions on the application. You could, for example, run LibreOffice on your host system, but run OpenOffice in a container (you know, in case you don’t believe the project is shutting down Is OpenOffice Shutting Down? 4 Great Free Office Suite Alternatives Is OpenOffice Shutting Down? 4 Great Free Office Suite Alternatives OpenOffice is no longer a free Microsoft Office alternative you can count on. We have compiled the four best options for Windows, Linux, and Mac. Read More ).
  • Speaking of versions, you can even have multiple (but different) copies of the same version running on your machine at once. Try that with Word 2016!
  • Some Docker apps run their own minimized version of Linux. This means even if the app isn’t normally compatible with Mac or Windows it may still work for you within a Docker container. Try them out before you switch to Linux 5 Tips That Make Switching to Linux From Windows Easy 5 Tips That Make Switching to Linux From Windows Easy There are many reasons to migrate from Windows to Linux. For instance, Linux might offer a lightweight environment. If you're tired of Windows and want a change, switching to Linux should be easy. Read More full time.
  • They’re easy to clean up. Don’t like the way things turned out? Just trash the container and create a new one.

On the other hand, there are some caveats to using applications this way:

  • As they operate in their own little world, they don’t have access to your files unless you give it to them. That means if you want to try the brand new version of LibreOffice via Docker, you may need to do some additional work to make your files accessible.
  • In general, Docker apps ship with everything they need to run, which often includes libraries that could be re-used with other programs. Some even ship with a full operating system behind them. So you may be doubling up on disk space usage.
  • They don’t provide convenient icons and other desktop-centric niceties. While we’ll show you a GUI you can use to download and run these Docker containers, they won’t show up in your main application launcher unless you create an entry by hand Edit System Menu Items With Alacarte [Linux] Edit System Menu Items With Alacarte [Linux] When you think about it, our Linux desktop environments are pretty smart. Whereas Windows just creates a new folder for a newly installed program in the Start Menu, the Linux desktop environment automatically organize all... Read More .
  • Like many things open source, it’s members of the community who have been creating these Docker applications from their upstream releases. This means your access to the latest version and/or any bugfixes is at the mercy of these peoples’ free time.

Installation and Usage

Getting things up and running involves three preliminary steps:

  1. First, get Docker installed and running on your system (including a graphical interface for it, if you want one).
  2. Next, find and download an image for the application you want to run. While you normally install an application, you get one (and only one) copy of it. Think of an image as a template for the application — you can create as many installs from this template as you like.
  3. Lastly, create one of those copies, called a container, and run it.

Let’s look at each of these in detail.

Installation

Most Linux distribution have Docker available in repositories for easy installation. In Ubuntu, the following command will get you what you need:

sudo apt-get install docker.io

You can confirm the system is running by confirming the “dockerd” daemon is running (you do know how to use ps An A-Z of Linux - 40 Essential Commands You Should Know An A-Z of Linux - 40 Essential Commands You Should Know Linux is the oft-ignored third wheel to Windows and Mac. Yes, over the past decade, the open source operating system has gained a lot of traction, but it’s still a far cry from being considered... Read More , grep, and pipes A Quick Guide To Get Started With The Linux Command Line A Quick Guide To Get Started With The Linux Command Line You can do lots of amazing stuff with commands in Linux and it's really not difficult to learn. Read More , don’t you?):

ps ax | grep dockerd

The Docker daemon will start up with your system automatically by default, but you can set that differently if you know how to adjust your systemd settings.

If you’re interested, you can also grab the Simple Docker UI Chrome app. Follow the instructions here to get things set up so you can connect to the Docker daemon on your machine.

How to Safely Test Desktop Applications in a Secure Container With Docker docker main window 670x237

Note: If you use Simple Docker UI, make sure you add yourself to the “docker” user group as described here. If you’re not part of this group, you won’t be able to use Docker commands from your normal (non-root) user account, the one with which you’ll be running Chrome and its apps, without using sudo all the time.

Finding and Installing Desktop Applications With Docker

Now that you’ve got a nice UI going, it’s time to find something to install. Your first stop should be the Hub, a repository of applications hosted by the docker project. Another straightforward way to find some interesting applications is to Google for them. In either case look for a “Launch Command” along the lines of the following:

docker run -it -v someoptions \
 -e more options \
 yet even more options...

Paste this into a terminal and it will download and launch the application for you.

You can also “pull” the application, then launch it yourself. If you’re using the Simple UI app, it can search Docker Hub automatically for your keyword.

How to Safely Test Desktop Applications in a Secure Container With Docker docker simpleui search hub 670x306

Once you’ve found what you’re looking for, click its listing, then the Pull Image button in the pop-up dialog to download the image of the application.

How to Safely Test Desktop Applications in a Secure Container With Docker docker download image 670x312

Remember, an image is a “template” of sorts. Next you’ll need to create a container that uses your new image. Switch over to the Images tab. Clicking the Deploy Container button will create a new, runnable copy of your application.

How to Safely Test Desktop Applications in a Secure Container With Docker docker simpleui view run image 670x424

Running Your New Docker Container

From the command line, you can view a list of all your docker containers with the command:

docker ps -a

How to Safely Test Desktop Applications in a Secure Container With Docker docker ps a 670x56

This lists the containers with some of their stats — note the “NAMES” column to the far right. To restart one of your containers, pick the name of the container you want and issue the following:

docker start [containername]

Using the app, go the “Containers” screen, select the container you want, and click the “Start” button in the upper left of the screen. Your application will start in a new window on your desktop, just like a “normal” application.

How to Safely Test Desktop Applications in a Secure Container With Docker docker simpleui container start 670x314

Your application should open in a new window, just as if you had installed it normally. But remember, it exists in isolation from your other applications. This allows you to do some neat things, like run LibreOffice and OpenOffice in parallel (their dependencies usually conflict with one another):

How to Safely Test Desktop Applications in a Secure Container With Docker docker libre open office 670x310

Try Docker-ized Apps for Fun and Profit

Docker provides an easy way to get an app up and running so you can try it out, and an equally easy way to clean it from your system. Once you get through the initial set-up of Docker, a single run command is often all you need to download an image, create a container from it, and launch it on your desktop.

Have you found any cool Docker-ized apps? Let us know in the comments!

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Steve
    February 4, 2017 at 1:29 pm

    To use Docker with Windows you need Server 2016. This isn't trivial, you would be better off with VirtualBox

    • Aaron Peters
      February 4, 2017 at 2:30 pm

      That is true Steve. Unless Docker plays nicely with the new Windows Subsystem for Linux (WSL). I haven't tried that out in my Windows 10 install, but then again that's a VM itself. What would that make, 3 levels of virtualization? I should give it a go though.

      • Steve
        February 4, 2017 at 5:39 pm

        I missed something here. By 3 levels you mean running it on WSL? Don't do that, it sounds painful.

        • Aaron Peters
          February 4, 2017 at 7:13 pm

          Windows virtualizing Linux virtualizing the Docker app. So 3 levels total I guess, not 3 plus the host system. But WSL isn't quite a VM, and neither is Docker for that matter. Would make for an interesting experiment though.

      • norweeg
        February 6, 2017 at 2:52 pm

        WSL isn't virtualized. It's a compatibility layer like WINE, except in reverse

        • Aaron Peters
          February 12, 2017 at 6:22 am

          Not true virtualization, sure. But still a layer in between that exacts a cost in performance as system calls are translated between one OS and another. Not as much cost as virtualization in any case though, granted.

    • Mark Pitman
      February 4, 2017 at 5:54 pm

      Docker for Windows works on Windows 10 as well. You just have to enable Hyper-V.

      • Aaron Peters
        February 4, 2017 at 7:10 pm

        Mark, is that something available on Pro installs of Win 10? I have to admit I haven't used Windows outside of work in a while, and I can't fiddle around with my work machine...

        • Mark Pitman
          February 4, 2017 at 8:15 pm

          Ah, yes, it is only available in Pro and Enterprise. Forgot about that.

  2. Brent
    February 3, 2017 at 6:33 pm

    I'm curious what the pros & cons are to using Docker like this vs a virtual OS. In other words, if I'm already running VirtualBox couldn't I just clone an OS and run the new application there?

    • Ben fan
      February 3, 2017 at 7:36 pm

      In containers, the kernel is shared. This means a container-root is a kernel-root. (There exist concepts to prevent this, but from a theoretical point of view the use of only one kernel can not be secure. Malicious code can always block io or crash the kernel or doing sidechannel attacks). Containers are used when you trust the code. When you need the security of the full abstraction a own kernel is needed, so you use a vm. But you can run untrusted containers on one vm to have the best from both worlds.

      • Aaron Peters
        February 12, 2017 at 6:24 am

        Compared to installing applications normally, containers really cut down on available attack vectors though don't they? Since things like filesystem access aren't there?

    • Aaron Peters
      February 4, 2017 at 2:27 pm

      Great question Brent! To summarize, Docker will typically run leaner than a VM. Consider the following:

      1) When you run a VM, it sets aside RAM for the machine. This reduces the memory available to programs on the host system. If you're a heavy multi-tasker, you may find your main system AND the VM chug while you're running both (as VMs tend to run slow anyway). Docker containers only use the RAM they need, just like other programs.

      2) Most Docker imagrs ship with just what they need to run: the executables and any required libraries. The VM will include all those things, PLUS the entire base system. So they'll require more storage. Maybe not an issue on big desktop machine, but not ideal for your SSD-equipped laptop.

      That said, one advantage of a VM is it represents a "real system." Said another way, if you run Ubuntu 16.04, you could spin up the same as a VM and have an accurate idea of how it will behave. Probably not a big advantage for GUI apps, moreso for server applications. You do also have the advantage of that "protected RAM," again more of an advantage for server apps than desktop programs.