Wayland Apps in WireGuard Docker Containers
procustodibus.com41 points by justinludwig 5 hours ago
41 points by justinludwig 5 hours ago
This is wonderful! I wish I could upvote this 10 times. This clearly took a huge amount of work to write and also to verify (which they clearly did!), and I hope OP knows how much I recognize and appreciate that!
This is exactly what I wish we got more from blog posts. It covers all the things for a real world complex yet simplified (as much as possible without negating the value of the tutorial by skipping important steps) and does some really cool things like run GUI apps in containers by passing in Wayland display socket (and a serious GUI app - an RDP client connecting to a remote machine over the wg tunnel, and a browser (Firefox) with audio!), access the host SSH agent, set up a real-world wireguard tunnel that does IP forwarding, etc.
OP, I hadn't heard of Custodibus before, but it sounds useful and I love that there's a GPL community version. I'll be testing it out and you may have also won yourself a customer, gatewayed from this blog post :-)
First, obligatory: Bingo:) (All the cool new tech in one title)
But super cool; there's something really appealing about creating what I would call thin clients in containers - this should even make it easy to have, say, multiple browsers open, each on a different network.
I do the same X + Wayland + PulseAudio socket mounted inside a (Podman, not Docker) container thing for sandboxing GUI programs like Steam, so that they do not have access to any host resources (especially the filesystem, which Steam has a reputation for not handling well :) ) unless I specifically allow it.
I have had pretty good success with steam inside docker. Things like playing counter strike have been pretty seamless. It's cool to see others doing the same. I'm waiting for wayland isolation stuff to actually be integrated into everything (security contexts etc). Even with all this isolation passing in an X socket totally breaks any security guarantees against anything actually malicious. For other apps I can do the dummy X server trick (nxagent etc), however for gaming that is really not an option with the performance requirements.
I use sway and I think it supports security-context-v1, though I haven't tried it. That said, my current setup is just to run cage + xwayland inside the container which gives decent enough sandboxing AFAIK. (I used to use Xephyr but the cage approach gives me dynamically resizable windows). At the very least the host clipboard is not shared with the sandboxed process, which is the primary thing I'm concerned about.
Are you willing to share any of your code, especially for Steam? I'd love to do this as well but had a hell of a time getting X/Wayland and the GPU all mounted in. Gave up after a short time (have too many projects already) and just used the Flatpak, but I'd love to fully containerize it.
https://news.ycombinator.com/item?id=34634854
My current one is quite a bit different (based on Debian instead of Ubuntu, additional steps to make VR work, and some other changes) but the parts related to sockets etc are the same.
Neat, thank you!
Direct link to Gist for any other interested people: https://gist.github.com/Arnavion/81006757190c29aa0b24c674e24...
This is content marketing meant to showcase/get folks using the procustodibus docker images, FYI.
Yes fair to point out, there is some of that, but it is genuinely very good content. I typically hate marketing-masquerading-as-tech stuff, but if it were all like this, I'd have no problem whatsoever. There is little to nothing here that is fluff or distraction for marketing purpose, and there's no purchase necessary to follow the whole post. This seems written by a nerd who knows and loves what they do, and that happens to be work-related