keepassxc-browser icon indicating copy to clipboard operation
keepassxc-browser copied to clipboard

Published 20 hours ago verified publisher icon keepassxreboot

Firefox in a docker container

Open morfikov opened this issue 6 years ago • 9 comments

I've managed to create a docker container and Firefox browser in it. The browser works perfectly well, but the keepassxc browser extension can't connect to keepassxc, which is outside of the container.

I just wanted to ask if is there a way to connect the browser extension in such config?

morfikov avatar Jan 22 '19 10:01 morfikov

Absolutely not. Maybe if you run everything as root...

droidmonkey avatar Jan 22 '19 11:01 droidmonkey

What about bind-mounting the unix socket? Xserver has /tmp/.X11-unix/ dir, and its socket in it, and I was able to bind-mount the dir inside of the docker container. Keepassxc uses /tmp/keepassxc-morfik.socket . What if that socket was under /tmp/keepassxc/ dir?

morfikov avatar Jan 22 '19 13:01 morfikov

Why not just toss KeePassXC in the same docker container? If you are going to punch a communication hole anyway there is really no difference. You can keep the database in a shared folder between host and docker.

droidmonkey avatar Jan 22 '19 15:01 droidmonkey

Why would you run Firefox in a Docker container? I consider that quite impractical, inconvenient and its not even secure, because you are connecting it to your X server which dissolves any confinement you'd gain by running it in a container. Better use AppArmor or SELinux policies if you want security.

phoerious avatar Jan 22 '19 15:01 phoerious

@phoerious What's insecure? It's the same lvl of security compared to using firefox in a regular xsession -- I don't think it makes any difference when it comes to Xorg. Or am I wrong? Why to use it? Separate namespaces, especially the network one. Apparmor won't give you this. And all other things can be confined in the container making it comparable to Apparmor (file access), but a way simpler, because you don't have to play with the rules all the time. Of course you can write an apparmor profile for a docker container.

@droidmonkey I thought about it, but I think it's not an option. I need several containers, each of which has different browser profile. Each of the profile has to have access to keepassxc, and I don't think copying the database to each docker volume is the right way to go.

morfikov avatar Jan 22 '19 15:01 morfikov

What about starting the docker container with host network? --net=host

pstorch avatar Jan 22 '19 18:01 pstorch

That's what I meant. You are trying to confine Firefox by running it in a container, but unless you run a separate X server inside the container as well, you completely circumvent all that, so you may as well just run Firefox directly on your host system.

phoerious avatar Jan 22 '19 18:01 phoerious

@pstorch No, I have to have the separate network namespace, for better anonymity and privacy.

@phoerious But when I visit some website, I give it lots of useful info, like internal IP, browser fingerprint, OS fingerprint, installed fonts, etc. When I run firefox inside of the docker container, all of the info is different. Also I can use a different set of firewall rules, different encrypted DNS servers for each container, etc. Will the X socket compromise that?

morfikov avatar Jan 22 '19 20:01 morfikov

I found this: http://wiki.ros.org/docker/Tutorials/GUI

So there's a couple ways to run GUI apps in docker containers. I'm currently using the first one, but I think I'm gonna check the other possibilities as well. But for my needs the setup I have currently suits well.

morfikov avatar Jan 23 '19 06:01 morfikov