I'm looking at running a GUI app in docker. I've heard that this is incurs security problems due to the Xserver being exposed. I'd like to know what is being done in each of the following steps, specifically the xhost local:root
:
- [ -d ~/workspace ] || mkdir ~/workspace
- xhost local:root
- docker run -i --net=host --rm -e DISPLAY -v $HOME/workspace/:/workspace/:z docbill/ubuntu-umake-eclipse
[ -d ~/workspace ] || mkdir ~/workspace
This creates a workspace directory in your home directory if it doesn't already exist.
xhost local:root
This permits the root user on the local machine to connect to X windows display.
docker run -i --net=host --rm -e DISPLAY -v $HOME/workspace/:/workspace/:z docbill/ubuntu-umake-eclipse
This runs a container with the following options:
-i
: interactive, input typed after this command is run is received by the process launched inside the container.--net=host
: host networking, the container is not launched with an isolated network stack. Instead, all networking interfaces of the host are directly accessible inside the container.--rm
automatically cleanup the container on exit. Otherwise the container will remain in a stopped state.-e DISPLAY
pass through the DISPLAY environment variable from the host into the container. This tells GUI programs where to send their output.-v $HOME/workspace/:/workspace/:z
map the workspace folder from your home directory on the host to the /workspace folder inside the container with selinux sharing settings enabled.docbill/ubuntu-umake-eclipse
run this image, authored by user docbill on the docker hub (anyone is able to create an account here). This is not an official image from docker but a community submitted image.From the options, this command is most likely designed for users running on RHEL or CentOS Docker host. It will not work on Docker for Windows or Docker for Mac, but should work on other variants of Linux.
I've used similar commands to run my containers with a GUI, but without the xhost and host networking. Instead, I've just mapped in the X windows socket (
/tmp/.X11-unix
) directly to the container: