[Linux] Sandboxing GUI apps
-
I tried Googling this, but it's either impossible, no one tried it, or my google-fu sucks.
I'm looking for a way to get rid of these damned virtual machines I have to run in order to test stuff. I often have a need to run multiple instances of an application that was not intended to be ran in such a way. Small stuff mostly, like softphones or efax-gtk. These applications were designed to allow for a single running instance because, you know, who would need multiple ones running at the same time (in normal use cases)?
I'm currently running an additional VM so I can have at least 2 instances of efax-gtk running, and several different softphone clients which run side by side. Which means I have to use even the crappiest ones just because it's another instance that actually connects to the server. And disconnects every 15 seconds. And crashes if I look at it funny.
In any case, every sandboxing environment that I looked at seems to focus on services / CLI applications, or requires a complete system install to which I could then connect using VNC or something.
Does anyone know of any sane way to run multiple instances of a GUI application in their own sandboxes without all this unnecessary voodoo?
-
This might help:
The magic part is:
share my X11 socket with the container and use it directly
Also, if you were using Python this could be done with virtual environments.
-
Since I don't want to claim docker knowledge where there is none: does the docker container need a full OS installation inside it, or can it just use the existing installed stuff (other than the application I'm sandboxing, that is)?
The X11 hack seems reasonable.
Also, if you were using Python this could be done with virtual environments.
Well, I'm limited with what's available out there on the application front. I sure as hell don't intend to write my own softphone as well (although writing a basic efax GUI might be a somewhat reasonable option if I had the time).
-
does the docker container need a full OS installation inside it, or can it just use the existing installed stuff
No, but they are shared between docker images. For example, I have several images all using Ubuntu as the target OS. This is downloaded only once and shared between all images.
Another great thing about Docker is that you can mix it with a little Puppet/Chef magic and have custom images running in no time.
-
No, but they are shared between docker images. For example, I have several images all using Ubuntu as the target OS. This is downloaded only once and shared between all images.
Nice. I already have these VMs sucking up my drive anyway. I don't mind one more additional install. Actually, I can probably delete at least one of them in that case anyway.
Will give this a go over the weekend.
-
As far as I understand, docker uses your underlying linux kernel and builds a customized userland on top of it. It wasn't well suited for my needs because it requires the latest linux kernel features (so no old Centos-es, Windows, BSD etc.). But it seems it will work very well in your use case.
-
Did you try just starting another GUI instance ?
CTRL-ALT-F1 -> login -> startxOn my desktop I now have 2 GUI, one on ALT-F7 and the other on ALT-F8
Worst case, create another user if your program still refuse to run under the same user.
Another solution would be to install a VNC server and create multiple VNC sessions under different users
There is more than one way to achieve your goal
-
There is more than one way to achieve your goal
True. But only one of them enables me to just run the things I need on a single desktop without shit getting in the way (like VNC sessions with mouse / keyboard capturing or having to switch VTs), and that's sandboxing. VMs didn't annoy me that much because or memory usage or something, they are just damn inconvenient.
Also, it's 2015, I gather I should be able to sandbox stuff in a sane way by now.
-
Depending on which resources the app actually doesn't want to share with itself, using a different user or a chroot may allow a second instance in the same X server.
-
resources the app actually doesn't want to share
Since it are softphone it might go from media devices to ports