= [[Image(http://xpra.org/icons/docker.png)]] Xpra + Docker =

The information below has not been verified by xpra.org, use at your own risk.

{{{#!div class="box"
= Rationale =

Xpra and docker can be used to isolate applications from unix user accounts.

Regular unix applications have full access to '''all the files''' in the user's home directory.

For example, it can be used to constrain a web browser (or a proprietary application like Skype) to the resource it really needs to run and no more.
The applications segregated in this way have a very restricted view of the system they run on.
}}}

{{{#!div class="box"
== Resources ==

* [http://docker.io/]
* [https://github.com/rogaha/docker-desktop] is a working showcase for combining docker and Xpra for the desktop
* Subuser [https://github.com/subuser-security/subuser] tries to wrap the solution to make it more easily accessible
}}}


{{{#!div class="box"
== Notes ==
* Be careful not to compromise your system security by enhancing an application's separation [https://github.com/subuser-security/subuser/issues/131]
* Reportedly, Docker+Xpra can be made to work with local connections. By mounting a host's directory as the containers ~/.xpra directory, the connection socket file is exposed to the host. Symlinking from the host's ~/.xpra/HostsHostname-DisplayNumber makes the clients session available transparently to the host.
* Also, reportedly, this even works with a mmap file (dramatically improving performance). The Xpra protocol dictates that the mmap file's path is sent from the client to the server. The client creates this file in the system's tmp directory, which can be overridden with the TMPDIR environment variable. Mounting a host's path at the right location in the docker volume enables the Xpra server to find it.
}}}