search

linuxserver / docker-kasm

Kasm Workspaces platform provides enterprise-class orchestration, data loss prevention, and web streaming technology to enable the delivery of containerized workloads to your browser.
GNU General Public License v3.0
291 stars 28 forks source link

Remove the need to run this Docker container in privileged mode #22

Closed tigerblue77 closed 1 year ago

tigerblue77 commented 1 year ago

Is this a new feature request?

Wanted change

Remove the need to run this Docker container in privileged mode

Reason for change

Running privileged containers is a bad practice and cannot be done in Docker Swarm mode.

Proposed code change

This docker compose file is almost working :

version: "3.7"

services:
  application:
    # container_name: {{ Kasm_Docker_stack_name }}
    image: lscr.io/linuxserver/kasm
    deploy:
      restart_policy:
        condition: on-failure
    # privileged: true
    environment:
      KASM_PORT: "{{ Kasm_container_port_to_expose }}"
      TZ: "Europe/Paris"
    volumes:
      - "/sys/kernel/security:/sys/kernel/security:ro"
      - "/usr/sbin/modprobe:/usr/sbin/modprobe:ro"
      - "/usr/lib:/usr/lib:ro"
      - "/lib:/lib:ro"
      - "/tmp:/tmp:rw"
      - "{{ Kasm_cgroups_Docker_volume_name }}:/sys/fs/cgroup:rw"
      - "{{ Kasm_data_Docker_volume_name }}:/opt:rw"
      - "{{ Kasm_profiles_Docker_volume_name }}:/profiles:rw" # optional
      # - "/dev/input:/dev/input" # optional
      # - "/run/udev/data:/run/udev/data" # optional
    ports:
      - "{{ Kasm_container_setup_port_to_expose }}:3000/TCP"
      - "{{ Kasm_container_port_to_expose }}:{{ Kasm_container_port_to_expose }}/TCP"

volumes:
  {{ Kasm_data_Docker_volume_name }}:
  {{ Kasm_profiles_Docker_volume_name }}:
  {{ Kasm_cgroups_Docker_volume_name }}:

But gives me the following errors :

/bin/sh: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by /bin/sh)

/bin/sh: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /bin/sh)

Ran the following command in my Docker host to find this "GLIBC" library :

find / -name "*GLIBC*" -not -path "/mnt/*"

but found nothing.

github-actions[bot] commented 1 year ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

aptalca commented 1 year ago

Pretty sure it's needed for docker-in-docker, a more precise search term to see if it's possible

tigerblue77 commented 1 year ago

Seems that you are right, I didn't know that, but they quote an alternative which seems interesting. But I don't know anything about all this stuff

aptalca commented 1 year ago

That's for building docker images inside a docker container. Kasm runs containers inside of its container.

tigerblue77 commented 1 year ago

Okay well, perhaps there are other ways to do this? My goal is to run this container on a Docker Swarm setup and avoid security risks brought by running in privileged mode.

thelamer commented 1 year ago

@tigerblue77 the purpose of this container is to allow someone to spinup a Kasm Workspaces installation inside of a single docker container without polluting their underlying host.

In the end the application is files stored on disk for settings and a docker compose configuration. They support a native installation method: https://www.kasmweb.com/downloads I would highly recommend looking at that installation method in a VM, how it installs, runs, and manages itself. https://www.kasmweb.com/docs/latest/index.html

As for this specific container it will never run in an unprivileged mode, you might be able to cobble something together using alternative container platforms, but it will more than likely break it and we as an organization only ever test containers running on Docker and containerd.

tigerblue77 commented 1 year ago

@thelamer okay, thanks for that explanation. Of course I was not talking about using something else than Docker.