[QUESTION] running SSH server inside

[lvm]

Hi Ryland,

This is not really an issue but a question to help me understand the project better. Why is there a need to run a SSH server inside each container? why docker exec -it name-of-container sh is not enough?

I've used Docker in a similar fashion in the past to run a live coding environment, basically a similar goal as this project.

[rylandg]

It's a great question. I initially used docker exec but it has some limitations.

• Binding the host display server is incredibly convenient with ssh (simply add -X|Y), with docker engine it's much more work
• With exec I was unable to find a way to run the user process as non Pid-1, with ssh this is easily achievable
• SSH default allows you to have the same experience if your container is running on a local machine or a remote machine
• I have many scripts that are written based on SSH protocol, such as Rsync. These work out of the box with ssh
• You can have multiple users in the same container with SSH, with exec it's a single process so not possible
• Docker engine itself uses REST over HTTP, SSH over HTTP isn't a huge difference

Let me know if that makes sense to you. Also your project looks very cool!

[lvm]

hey! thanks for your reply

• not sure how much of extra work requires to run X apps inside docker. you need to share your "host" Xserver/DISPLAY env var and perhaps run xhost:

  $ xhost +`hostname`.local
  $ docker run -it -v /tmp/.X11-unix:/tmp/.X11-unix -e DISPLAY=unix$DISPLAY docker-image random-x-app

• for pid 1, you can use a shell (ie: bash, sh, zsh) to be pid 1

  mauro@xpc:~$ docker run --rm -it multiseat bash
  root@a3fc788d3288:/# ps
  PID TTY          TIME CMD
  1 pts/0    00:00:00 bash
  6 pts/0    00:00:00 ps

  unless you want to launch an app directly, but in that case I'm confused

• about a "multi-seat" container, unless i'm missing something really obvious, this [0] is what i've just tried and can say that it just works (sic). recording: https://asciinema.org/a/2rlLIUQmxLsn6zUj248yLIHYF

Well, if you already have a "setup" that requires rsync/ssh scripts, then there's nothing to discuss :-)
I'm asking these questions because this project it's pretty similar to something i've been thinking about these past weeks. I had to move from one laptop (running debian) to another (running macos) because of a faulty hard drive and needed a quick way to spin a "development environment" so i could continue working. Also i didn't needed the entire OS, just an editor + git + ssh + python3 (+related py3 tools), so i could jump from machine to machine without thinking much about it while maintaining a minimal-dev-environment. I mean, if I could get docker to run on my phone that would definitely be amazing.

Again, sorry if this comes up as a negative-feedback, it's not my intention, really!

[0]

FROM debian:stable

ENV DEBIAN_FRONTEND noninteractive
ENV LANG C.UTF-8

ENV USER_MAURO mauro
ENV HOME_MAURO /home/mauro
ENV UID_MAURO 1000

ENV USER_TEST test
ENV HOME_TEST /home/test
ENV UID_TEST 1001

RUN apt-get update \
    && apt-get install -yq procps \
    && addgroup --system $USER_MAURO \
    && addgroup --system $USER_TEST \
    && useradd --system --create-home \
               --home-dir $HOME_MAURO \
               --shell /bin/bash \
               --gid $USER_MAURO \
               --groups $USER_MAURO,sudo \
               --uid $UID_MAURO \
               --password $USER_MAURO \
               $USER_MAURO \
    && mkdir -p $HOME_MAURO \
    && useradd --system --create-home \
               --home-dir $HOME_TEST \
               --shell /bin/bash \
               --gid $USER_TEST \
               --groups $USER_TEST,sudo \
               --uid $UID_TEST \
               --password $USER_TEST \
               $USER_TEST \
    && mkdir -p $HOME_TEST \
    && chown -Rh $USER_MAURO:$USER_MAURO -- $HOME_MAURO \
    && chown -Rh $USER_TEST:$USER_TEST -- $HOME_TEST

[rylandg]

Again, sorry if this comes up as a negative-feedback, it's not my intention, really!

Don't worry about that at all. Life is a never ending opportunity to improve. I wish more people would open issues with critical questions like yours.

not sure how much of extra work requires to run X apps inside docker. you need to share your "host" Xserver/DISPLAY env var and perhaps run xhost:

Doing it the way you suggested has a negative effect on the isolation model of Docker. Also it's not anywhere near as reliable on varying underlying host OS's. I'm almost entirely sure that won't work on Windows and probably not OSX either. SSH is universal, every modern OS can satisfy it's API.

Have you tried actually running graphical applications with your method? The internet leads me to believe you'll run into some serious perf issues

Also, the method you describe only works if your container is running locally. It's an important consideration for me, but maybe not for most

for pid 1, you can use a shell (ie: bash, sh, zsh) to be pid 1

As explained here, running bash as PID 1 is only a small part of the solution to the problem. There are definitely ways to do this without SSH, (ie phusion image). It just made sense based on my other constraints to use the method I did.

about a "multi-seat" container, unless i'm missing something really obvious, this [0] is what i've just tried and can say that it just works (sic).

I was definitely wrong on that one. Devils advocate, tools like wemux only work with SSH.

I mean, if I could get docker to run on my phone that would definitely be amazing.

Android or Iphone? Android at some level is nix so probably possible. Good luck in IOS though. I've thought about it before too, maybe one day.

Your dockerfile definitely has some overlap with MyOS, definitely a few things I think you could borrow from the one in MyOS though (using phusion as base image).

Also, did you read my blog post about the rationale of MyOS?

I hope I covered everything, if I didn't please let me know.

Thanks again for the awesome feedback.

[rylandg]

@all-contributors please add @lvm for asking critical questions

[allcontributors[bot]]

@rylandg

I've put up a pull request to add @lvm! :tada:

[lvm]

Again, sorry if this comes up as a negative-feedback, it's not my intention, really!

Don't worry about that at all. Life is a never ending opportunity to improve. I wish more people would open issues with critical questions like yours.

Cool :D

not sure how much of extra work requires to run X apps inside docker. you need to share your "host" Xserver/DISPLAY env var and perhaps run xhost:

Doing it the way you suggested has a negative effect on the isolation model of Docker. Also it's not anywhere near as reliable on varying underlying host OS's. I'm almost entirely sure that won't work on Windows and probably not OSX either. SSH is universal, every modern OS can satisfy it's API.

Ah yeah, haven't thought of this. Normally, I'm 98% of the time running a GNU/Linux distro, the rest macOS / windows 10. So yes, in this case SSH is much more flexible.

Have you tried actually running graphical applications with your method? The internet leads me to believe you'll run into some serious perf issues

Yes I have, actually I started to do so after reading/watching Jessie Frazelle blogposts/talks. More precisely KDEnlive (because didn't wanted to install kde dependencies) and PabloDraw (same thing but with mono libs), among other less complicated apps.

Also, the method you describe only works if your container is running locally. It's an important consideration for me, but maybe not for most

All good. And yeah, the container I had in mind didn't really required an X server, just cli apps, so even when running this remotely, this wouldn't be a problem at all.

for pid 1, you can use a shell (ie: bash, sh, zsh) to be pid 1

As explained here, running bash as PID 1 is only a small part of the solution to the problem. There are definitely ways to do this without SSH, (ie phusion image). It just made sense based on my other constraints to use the method I did.

If I understood correctly, phusion uses runit, which I've used in the past for a crappy-disposable-wp-envinronment.
In any case, there are a couple of interesting things in the phusion image, will definitely give it a try.

about a "multi-seat" container, unless i'm missing something really obvious, this [0] is what i've just tried and can say that it just works (sic).

I was definitely wrong on that one. Devils advocate, tools like wemux only work with SSH.

No worries.

I mean, if I could get docker to run on my phone that would definitely be amazing.

Android or Iphone? Android at some level is nix so probably possible. Good luck in IOS though. I've thought about it before too, maybe one day.

Yeah, I can run Lil Debi or similar on Android, but I was thinking of something more magical, with less layers (I'm not sure I'm completely clear).
In the past, just for fun, rooted my kindle (paperwhite) and had a debian chroot inside that had emacs, gpg, irssi, and lynx. Not so useful, but it was fun nonetheless. You see, I still fantasize with having a pocket laptop (similar to but not as expensive as GPD Pocket). I blame Neuromancer for this.

Your dockerfile definitely has some overlap with MyOS, definitely a few things I think you could borrow from the one in MyOS though (using phusion as base image).

Also, did you read my blog post about the rationale of MyOS?

I hope I covered everything, if I didn't please let me know.

Thanks again for the awesome feedback.

Thank you for your extensive reply. And will definitely investigate more, and hopefully contribute to this project in the future!

If you wish you can close this issue, I have no questions left :D

[rylandg]

X11 Server is also needed for copy-paste support. In my personal env + myos setup I can copy in myos tmux and paste in chrome on host. That's really powerful, especially if you're using chrome vim. I'm honestly not sure if Docker supports that or not out of the box. Tmux would obviously be irrelevant to the equation when comparing.

I think I'll keep the issue open as this is an important conversation, and it should be visible.