Chapter 5. Locked-down, secure Firefox in a container
This section explains how to deploy a secure container that runs Firefox. This container gives you an instance of Firefox, containerized, with the following features:
- Completely unprivileged - needs no extra SELinux tweaking
- Only the list of cgroups is passed into the container from the host
- No port redirection because the container is available only to the host
- No X11 clipboard events or X events shared with your real host
- No shared sound hardware
- Everything runs with normal, non-elevated user permissions except for systemd (and systemd runs only to reap the other processes)
- unsynced sound, flash, and interactivity.
Running Firefox Securely in a Container
Retrieve the base image that we use to build this container:
$ curl -o Fedora-Docker-Base-22-20150521.x86_64.tar.xz -L https://download.fedoraproject.org/pub/fedora/linux/releases/22/Docker/x86_64/Fedora-Docker-Base-22-20150521.x86_64.tar.xz
Load the base image you just downloaded into the local Docker registry:
$ sudo docker load < Fedora-Docker-Base-22-20150521.x86_64.tar.xz
Create a directory to hold the Dockerfile that will map out this container:
$ mkdir -p isolated_firefox
Retrieve the Dockerfile by using this curl command:
$ curl -o isolated_firefox/Dockerfile -L http://pastebin.com/raw.php?i=cgYXQvJu
Build the container and tag it with a tag called
isolated_firefox
:$ sudo docker build -t isolated_firefox isolated_firefox .
Run the container:
$ sudo docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro isolated_firefox
Retrieve the CONTAINER_ID by using the docker ps command:
$ sudo docker ps
Retrieve the IP address of the container:
$ sudo docker inspect CONTAINER_ID| grep IPAddress\":
Open the container in vncviewer:
$ vncviewer CONTAINER_IP
To hear the audio associated with this container, open a browser and go to the following location:
http://CONTAINER_IP:8000/firefox.ogg
NoteDo not forget to include the port in the URL. That means that you should not forget to type
:8000
after the URL. You can also send the address of the container to VLC to play the content in VLC.Run the following command to launch the VLC instance:
$ vlc http://CONTAINER_IP:8000/firefox.ogg