Running docker-osx with unprivileged container user

[mviereck]

Coming from https://github.com/mviereck/x11docker/issues/331, we might continue the discussion here on how docker-osx could be improved to integrate better with x11docker.

I am citing myself:

@sickcodes Some improvements could be done within docker-osx: Especially of interest is to allow an entirely unprivileged container user. Can be tested with docker run --cap-drop=all --security-opt=no-new-privileges [...]. Steps needed:

• Avoid sudo
• Use --group-add kvm --group-add audio instead of chown [...] /dev/kvm /dev/snd.
• Set up an unprivileged sshd.

---

Working x11docker commands so far:

• This commands runs with an entirely unprivileged container user (with x11docker's default --cap-drop=ALL --security-opt=no-new-privileges):

  x11docker --share /dev/kvm --group-add kvm --alsa -- -p 50922:10022 -- sickcodes/docker-osx:latest
  

• This command sets up a privileged container user allowing docker's default container capabilities (--cap-default) and running with container user arch. Otherwise failing with sshd errors:

  x11docker --share /dev/kvm --group-add kvm --user=RETAIN --cap-default --alsa -- -p 50922:10022 -- sickcodes/docker-osx:auto
  

You can see the generated docker command if running x11docker with option --debug.

[sickcodes]

Thanks @mviereck I'll pump this out in the weekend. I've wanted to increase container security for some time now.

[sickcodes]

Implementing these today, thanks legend

[mviereck]

I don't see new commits in your repo yet. If there are questions on this, just ask.