mviereck / dockerfile-x11docker-deepin

3D desktop deepin from China
MIT License
33 stars 11 forks source link

Extending the x11docker/deepin image by 'sudo apt-get install pkg1 [pkg2 ...]'. #8

Closed hongyi-zhao closed 4 years ago

hongyi-zhao commented 4 years ago

Hi,

Suppose I've started the x11docker/deepin docker image as following:

$ x11docker --desktop --sudouser --clipboard --init=systemd -- --cap-add=IPC_LOCK --security-opt seccomp=unconfined -- x11docker/deepin

Then, in the x11docker/deepin docker image, can I run the following command to add pkgs, instead of using the method mentioned here?

$ sudo apt-get install pkg1 [pkg2 ...]

Regards, HY

mviereck commented 4 years ago

Then, in the x11docker/deepin docker image, can I run the following command to add pkgs, instead of using the method mentioned here?

This will install the packages only temporally. The packages are installed in the current running container only. The container is removed after terminating all applications, and x11docker will create a new one on next start. For persistent installations you need a custom Dockerfile.

hongyi-zhao commented 4 years ago

Thanks a lot, I now understand the design philosophy of docker, i.e., "immutable infrastructure".

mviereck commented 4 years ago

Thanks a lot, I now understand the design philosophy of docker, i.e., "immutable infrastructure".

Docker (but not x11docker) allows to reuse containers. x11docker always deletes the container afterwards and achieves an "immutable infrastructure". Regular docker containers can be stopped and started again with docker stop and docker start. x11docker always generates a new container with docker run and removes it with docker rm.

hongyi-zhao commented 4 years ago

Why you let x11docker work this way?

mviereck commented 4 years ago

Originally the reason was (and is) an issue with Docker itself.

To provide access to an X server, x11docker shares an X unix socket in /tmp/.X11-unix, e.g. /tmp/.X11-unix/X100. This temporary socket is removed by the system on reboot. During boot docker detects that the file does not exist anymore although it is shared with a container. docker generates a new regular empty file /tmp/.X11-unix/X100 owned by root. x11docker cannot remove the root owned file, so cannot run a new X server with display number 100, so cannot reuse the container.

Meanwhile x11docker has a focus on security. From a security point of view it is better to run a fresh container every time than to reuse an old one. If a container is compromised somehow, it will be removed nonetheless next time.