mviereck
commented
5 years ago Thanks you for feedback and suggestion!
--security-opt="seccomp=profile.json --network="networkname" --ip=""
This is already possible if you add custom docker run options encapsulated with -- to x11docker command. Example:
x11docker --desktop -- --network=bridge --ip=172.30.100.104 --security-opt="seccomp=profile.json -- x11docker/xfceCompare syntax from x11docker --help:
x11docker [OPTIONS] -- DOCKER_RUN_OPTIONS -- IMAGE [COMMAND [ARG1 ARG2 ...]]This works in general for all docker run options, but can fail for those already set by x11docker.
You can see the created docker command if you run with option --debug.
After posting this, I read issue 113, your thoughts about internet and such, 2 and 3 will completely super-cede what you had in mind for a tech-savvy guy, but on the other hand, your way will please a user that does not want to spend too much time messing with docker better
Meanwhile I decided to allow internet access per default, i.e. leaving it as is. So it won't interfere with custom --network options.
About the concept of providing a secure, sandbox-like setup:
x11docker targets to provide secure defaults but to allow less secure setups. Even --privileged can be set in custom docker run options which allows the container to burn down the host.
I have been using this for a few weeks, and I am liking it, thanks for making it happen.
I think the following features should add good value to this, in a very generic manner, simply put, to be the wrapper of three more docker - run options.
--security-opt="seccomp=profile.json" White listed syscalls seccomp Json file to be used as a seccomp filter - so that one can have fine-grained control over this, right now your solution is all or nothing.
--network="networkname"
Italic part copied from docker documentation
--network="bridge" : Connect a container to a network 'bridge': create a network stack on the default Docker bridge 'none': no networking 'container:<name|id>': reuse another container's network stack 'host': use the Docker host network stack 'network-name|network-id': connect to a user-defined network
So that one can go crazy on a custom network setting and pass it in.
I have actually hacked around your big script to make the first one happen already, but bash is not my strength, you seem to produce way prettier bash code than I do.
Cheers.
After posting this, I read issue 113, your thoughts about internet and such, 2 and 3 will completely super-cede what you had in mind for a tech-savvy guy, but on the other hand, your way will please a user that does not want to spend too much time messing with docker better.