xpra icon
Bug tracker and wiki

Version 2 (modified by Antoine Martin, 6 years ago) (diff)

remove opinion piece

[[Image(...)]] Xpra + Docker

The information below has not been verified by xpra.org, use at your own risk.

Rationale

Xpra and docker can be used to isolate applications from unix user accounts.

Regular unix applications have full access to all the files in the user's home directory.

For example, it can be used to constrain a web browser (or a proprietary application like Skype) to the resource it really needs to run and no more. The applications segregated in this way have a very restricted view of the system they run on.

Resources

Notes

  • Be careful not to compromise your system security by enhancing an application's separation https://github.com/subuser-security/subuser/issues/131
  • Reportedly, Docker+Xpra can be made to work with local connections. By mounting a host's directory as the containers ~/.xpra directory, the connection socket file is exposed to the host. Symlinking from the host's ~/.xpra/HostsHostname-DisplayNumber? makes the clients session available transparently to the host.
  • Also, reportedly, this even works with a mmap file (dramatically improving performance). The Xpra protocol dictates that the mmap file's path is sent from the client to the server. The client creates this file in the system's tmp directory, which can be overridden with the TMPDIR environment variable. Mounting a host's path at the right location in the docker volume enables the Xpra server to find it.