[Linux] Sandboxing GUI apps


  • BINNED

    I tried Googling this, but it's either impossible, no one tried it, or my google-fu sucks.

    I'm looking for a way to get rid of these damned virtual machines I have to run in order to test stuff. I often have a need to run multiple instances of an application that was not intended to be ran in such a way. Small stuff mostly, like softphones or efax-gtk. These applications were designed to allow for a single running instance because, you know, who would need multiple ones running at the same time (in normal use cases)?

    I'm currently running an additional VM so I can have at least 2 instances of efax-gtk running, and several different softphone clients which run side by side. Which means I have to use even the crappiest ones just because it's another instance that actually connects to the server. And disconnects every 15 seconds. And crashes if I look at it funny.

    In any case, every sandboxing environment that I looked at seems to focus on services / CLI applications, or requires a complete system install to which I could then connect using VNC or something.

    Does anyone know of any sane way to run multiple instances of a GUI application in their own sandboxes without all this unnecessary voodoo?



  • This might help:

    The magic part is:

    share my X11 socket with the container and use it directly

    Also, if you were using Python this could be done with virtual environments.


  • BINNED

    Since I don't want to claim docker knowledge where there is none: does the docker container need a full OS installation inside it, or can it just use the existing installed stuff (other than the application I'm sandboxing, that is)?

    The X11 hack seems reasonable.

    @Eldelshell said:

    Also, if you were using Python this could be done with virtual environments.

    Well, I'm limited with what's available out there on the application front. I sure as hell don't intend to write my own softphone as well (although writing a basic efax GUI might be a somewhat reasonable option if I had the time).



  • @Onyx said:

    does the docker container need a full OS installation inside it, or can it just use the existing installed stuff

    No, but they are shared between docker images. For example, I have several images all using Ubuntu as the target OS. This is downloaded only once and shared between all images.

    Another great thing about Docker is that you can mix it with a little Puppet/Chef magic and have custom images running in no time.


  • BINNED

    @Eldelshell said:

    No, but they are shared between docker images. For example, I have several images all using Ubuntu as the target OS. This is downloaded only once and shared between all images.

    Nice. I already have these VMs sucking up my drive anyway. I don't mind one more additional install. Actually, I can probably delete at least one of them in that case anyway.

    Will give this a go over the weekend.



  • As far as I understand, docker uses your underlying linux kernel and builds a customized userland on top of it. It wasn't well suited for my needs because it requires the latest linux kernel features (so no old Centos-es, Windows, BSD etc.). But it seems it will work very well in your use case.



  • Did you try just starting another GUI instance ?
    CTRL-ALT-F1 -> login -> startx

    On my desktop I now have 2 GUI, one on ALT-F7 and the other on ALT-F8

    Worst case, create another user if your program still refuse to run under the same user.

    Another solution would be to install a VNC server and create multiple VNC sessions under different users

    There is more than one way to achieve your goal


  • BINNED

    @TimeBandit said:

    There is more than one way to achieve your goal

    True. But only one of them enables me to just run the things I need on a single desktop without shit getting in the way (like VNC sessions with mouse / keyboard capturing or having to switch VTs), and that's sandboxing. VMs didn't annoy me that much because or memory usage or something, they are just damn inconvenient.

    Also, it's 2015, I gather I should be able to sandbox stuff in a sane way by now.


  • Java Dev

    Depending on which resources the app actually doesn't want to share with itself, using a different user or a chroot may allow a second instance in the same X server.


  • BINNED

    @PleegWat said:

    resources the app actually doesn't want to share

    Since it are softphone it might go from media devices to ports


Log in to reply