Linux Security

How to Safely Test Desktop Applications in a Secure Container With Docker

Aaron Peters 03-02-2017

Docker is a “container” platform, which allows applications to be run in their own sandboxed world. These applications share resources, e.g. things like hard drive space or RAM, but otherwise can’t interfere with programs running on the host system. For corporate servers this means an attacker may not be able to use a compromised web server to get at the database holding customer data.

Advertisement

For the desktop user, it means the bleeding-edge app you’re trying out can’t accidentally delete all your cat’s selfies.

Pros and Cons of Using Docker

There are several good reasons to try out new programs via Docker, including the following:

On the other hand, there are some caveats to using applications this way:

Installation and Usage

Getting things up and running involves three preliminary steps:

  1. First, get Docker installed and running on your system (including a graphical interface for it, if you want one).
  2. Next, find and download an image for the application you want to run. While you normally install an application, you get one (and only one) copy of it. Think of an image as a template for the application — you can create as many installs from this template as you like.
  3. Lastly, create one of those copies, called a container, and run it.

Let’s look at each of these in detail.

Advertisement

Installation

Most Linux distribution have Docker available in repositories for easy installation. In Ubuntu, the following command will get you what you need:

sudo apt-get install docker.io

You can confirm the system is running by confirming the “dockerd” daemon is running (you do know how to use ps An A-Z of Linux - 40 Essential Commands You Should Know Linux is the oft-ignored third wheel to Windows and Mac. Yes, over the past decade, the open source operating system has gained a lot of traction, but it’s still a far cry from being considered... Read More , grep, and pipes A Quick Guide To Get Started With The Linux Command Line You can do lots of amazing stuff with commands in Linux and it's really not difficult to learn. Read More , don’t you?):

ps ax | grep dockerd

The Docker daemon will start up with your system automatically by default, but you can set that differently if you know how to adjust your systemd settings.

If you’re interested, you can also grab the Simple Docker UI Chrome app. Follow the instructions here to get things set up so you can connect to the Docker daemon on your machine.

Advertisement

How to Safely Test Desktop Applications in a Secure Container With Docker docker main window 670x237

Note: If you use Simple Docker UI, make sure you add yourself to the “docker” user group as described here. If you’re not part of this group, you won’t be able to use Docker commands from your normal (non-root) user account, the one with which you’ll be running Chrome and its apps, without using sudo all the time.

Finding and Installing Desktop Applications With Docker

Now that you’ve got a nice UI going, it’s time to find something to install. Your first stop should be the Hub, a repository of applications hosted by the docker project. Another straightforward way to find some interesting applications is to Google for them. In either case look for a “Launch Command” along the lines of the following:

docker run -it -v someoptions \
 -e more options \
 yet even more options...

Paste this into a terminal and it will download and launch the application for you.

Advertisement

You can also “pull” the application, then launch it yourself. If you’re using the Simple UI app, it can search Docker Hub automatically for your keyword.

How to Safely Test Desktop Applications in a Secure Container With Docker docker simpleui search hub 670x306

Once you’ve found what you’re looking for, click its listing, then the Pull Image button in the pop-up dialog to download the image of the application.

How to Safely Test Desktop Applications in a Secure Container With Docker docker download image 670x312

Advertisement

Remember, an image is a “template” of sorts. Next you’ll need to create a container that uses your new image. Switch over to the Images tab. Clicking the Deploy Container button will create a new, runnable copy of your application.

How to Safely Test Desktop Applications in a Secure Container With Docker docker simpleui view run image 670x424

Running Your New Docker Container

From the command line, you can view a list of all your docker containers with the command:

docker ps -a

How to Safely Test Desktop Applications in a Secure Container With Docker docker ps a 670x56

This lists the containers with some of their stats — note the “NAMES” column to the far right. To restart one of your containers, pick the name of the container you want and issue the following:

docker start [containername]

Using the app, go the “Containers” screen, select the container you want, and click the “Start” button in the upper left of the screen. Your application will start in a new window on your desktop, just like a “normal” application.

How to Safely Test Desktop Applications in a Secure Container With Docker docker simpleui container start 670x314

Your application should open in a new window, just as if you had installed it normally. But remember, it exists in isolation from your other applications. This allows you to do some neat things, like run LibreOffice and OpenOffice in parallel (their dependencies usually conflict with one another):

How to Safely Test Desktop Applications in a Secure Container With Docker docker libre open office 670x310

Try Docker-ized Apps for Fun and Profit

Docker provides an easy way to get an app up and running so you can try it out, and an equally easy way to clean it from your system. Once you get through the initial set-up of Docker, a single run command is often all you need to download an image, create a container from it, and launch it on your desktop.

Have you found any cool Docker-ized apps? Let us know in the comments!

Explore more about: Linux, Virtualization.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Steve
    February 4, 2017 at 1:29 pm

    To use Docker with Windows you need Server 2016. This isn't trivial, you would be better off with VirtualBox

    • Aaron Peters
      February 4, 2017 at 2:30 pm

      That is true Steve. Unless Docker plays nicely with the new Windows Subsystem for Linux (WSL). I haven't tried that out in my Windows 10 install, but then again that's a VM itself. What would that make, 3 levels of virtualization? I should give it a go though.

      • Steve
        February 4, 2017 at 5:39 pm

        I missed something here. By 3 levels you mean running it on WSL? Don't do that, it sounds painful.

        • Aaron Peters
          February 4, 2017 at 7:13 pm

          Windows virtualizing Linux virtualizing the Docker app. So 3 levels total I guess, not 3 plus the host system. But WSL isn't quite a VM, and neither is Docker for that matter. Would make for an interesting experiment though.

      • norweeg
        February 6, 2017 at 2:52 pm

        WSL isn't virtualized. It's a compatibility layer like WINE, except in reverse

        • Aaron Peters
          February 12, 2017 at 6:22 am

          Not true virtualization, sure. But still a layer in between that exacts a cost in performance as system calls are translated between one OS and another. Not as much cost as virtualization in any case though, granted.

    • Mark Pitman
      February 4, 2017 at 5:54 pm

      Docker for Windows works on Windows 10 as well. You just have to enable Hyper-V.

      • Aaron Peters
        February 4, 2017 at 7:10 pm

        Mark, is that something available on Pro installs of Win 10? I have to admit I haven't used Windows outside of work in a while, and I can't fiddle around with my work machine...

        • Mark Pitman
          February 4, 2017 at 8:15 pm

          Ah, yes, it is only available in Pro and Enterprise. Forgot about that.

  2. Brent
    February 3, 2017 at 6:33 pm

    I'm curious what the pros & cons are to using Docker like this vs a virtual OS. In other words, if I'm already running VirtualBox couldn't I just clone an OS and run the new application there?

    • Ben fan
      February 3, 2017 at 7:36 pm

      In containers, the kernel is shared. This means a container-root is a kernel-root. (There exist concepts to prevent this, but from a theoretical point of view the use of only one kernel can not be secure. Malicious code can always block io or crash the kernel or doing sidechannel attacks). Containers are used when you trust the code. When you need the security of the full abstraction a own kernel is needed, so you use a vm. But you can run untrusted containers on one vm to have the best from both worlds.

      • Aaron Peters
        February 12, 2017 at 6:24 am

        Compared to installing applications normally, containers really cut down on available attack vectors though don't they? Since things like filesystem access aren't there?

    • Aaron Peters
      February 4, 2017 at 2:27 pm

      Great question Brent! To summarize, Docker will typically run leaner than a VM. Consider the following:

      1) When you run a VM, it sets aside RAM for the machine. This reduces the memory available to programs on the host system. If you're a heavy multi-tasker, you may find your main system AND the VM chug while you're running both (as VMs tend to run slow anyway). Docker containers only use the RAM they need, just like other programs.

      2) Most Docker imagrs ship with just what they need to run: the executables and any required libraries. The VM will include all those things, PLUS the entire base system. So they'll require more storage. Maybe not an issue on big desktop machine, but not ideal for your SSD-equipped laptop.

      That said, one advantage of a VM is it represents a "real system." Said another way, if you run Ubuntu 16.04, you could spin up the same as a VM and have an accurate idea of how it will behave. Probably not a big advantage for GUI apps, moreso for server applications. You do also have the advantage of that "protected RAM," again more of an advantage for server apps than desktop programs.