• Stars
    star
    157
  • Rank 238,399 (Top 5 %)
  • Language
    Shell
  • License
    MIT License
  • Created almost 11 years ago
  • Updated over 10 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Run Google Chrome inside an isolated Docker container on your Linux desktop! See its sights via X11 forwarding! Hear its sounds through the magic of PulseAudio and SSH tunnels!

Docker! Chrome! PulseAudio!

Run Google Chrome inside an isolated Docker container on your Linux desktop! See its sights via X11 forwarding! Hear its sounds through the magic of PulseAudio and SSH tunnels!

Instructions

  1. Install PulseAudio Preferences. Debian/Ubuntu users can do this:

     sudo apt-get install paprefs
    
  2. Launch PulseAudio Preferences, go to the "Network Server" tab, and check the "Enable network access to local sound devices" checkbox

  3. Restart PulseAudio

     sudo service pulseaudio restart
    

    On some distributions, it may be necessary to completely restart your computer. You can confirm that the settings have successfully been applied using the pax11publish command. You should see something like this (the important part is in bold):

    Server: {ShortAlphanumericString}unix:/run/user/1000/pulse/native tcp:YourHostname:4713 tcp6:YourHostname:4713

    Cookie: ReallyLongAlphanumericString

  4. Install Docker if you haven't already

  5. Clone this repository and get right in there

     git clone https://github.com/jlund/docker-chrome-pulseaudio.git && cd docker-chrome-pulseaudio
    
  6. Generate an SSH public key, if you don't already have one

     ssh-keygen
    
  7. Copy your SSH public key into place

     cp ~/.ssh/id_rsa.pub .
    
  8. Build the container

     sudo docker build -t chrome .
    
  9. Create an entry in your .ssh/config file for easy access. It should look like this:

     Host docker-chrome
       User      chrome
       Port      2222
       HostName  127.0.0.1
       RemoteForward 64713 localhost:4713
       ForwardX11 yes
    
  10. Run the container and forward the appropriate ports

     sudo docker run -d -p 127.0.0.1:2222:22 chrome
    
  11. Connect via SSH and launch Chrome using the provided PulseAudio wrapper script

     ssh docker-chrome chrome-pulseaudio-forward
    
  12. Go watch Hulu, or whatever

Frequently Asked Questions

Why would I want to do this?

Sometimes you absolutely need to look at a website that uses Flash even though Flash is basically the worst thing ever in every possible regard. This lets you run Flash on Linux in a compartmentalized fashion and reduces the risk that one of its never-ending security vulnerabilities will affect your precious files or other processes. Docker and LXC will be on your side and they both love you very much.

How does it perform?

Flawlessly. Playing HD video from The Daily Show is no problem at all. Spotify's web interface works perfectly. Your favorite restaurant's Flash-only website will cower before you in fear and quickly reveal all of its secrets.

Why wouldn't I just install Google Chrome directly?

You certainly can, but it's an enormous package with an even bigger set of dependencies. It's also closed source. Oh, and it bundles Flash into its binary. Installing Chrome directly is like inviting a really cool guy over to your house when you know that he is definitely going to bring his friend with leprosy.

Why do you disable Chrome's sandbox using the --no-sandbox flag?

Chrome does a bunch of crazy stuff using SUID wrappers and several other techniques to try to keep Flash under control and to enhance its own internal security. Unfortunately, these techniques don't work inside a Docker container unless the container is run with the -privileged flag. So what's the problem with that? Well, here's what Docker's documentation has to say about it:

The -privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

It sounds like a decidedly awful idea to give Chrome and Flash the ability to do "almost everything that the host can do." And even though it makes my inner Xzibit very sad, we are not running Docker inside of Docker. If you disagree with this choice, feel free to run the container with Docker's -privileged flag enabled and to strip the --no-sandbox flag from the launch wrapper in the Dockerfile. This will remove the "You are using an unsupported command-line flag..." warning that otherwise appears every time you start Chrome.

Author Information

You can find me on Twitter if you are so inclined. I also occasionally blog at MissingM.

More Repositories

1

spotify-export

A simple Ruby utility that uses Spotify's Web API to export a playlist as plain text
Ruby
293
star
2

ansible-go

Ansible role that installs Go (http://golang.org/). The latest stable release that has been compiled for x86 64-bit Linux systems is installed by default, and different platforms and versions are supported by modifying the role variables.
Shell
168
star
3

mazer-rackham

Sample Ansible Playbook for Rack applications that installs Nginx, Passenger, Ruby 2.0.0 (or 1.9.3), Bundler, and git. It also demonstrates how to deploy a basic Rack application using Ansible.
165
star
4

ansible-shadowsocks

Ansible role that installs the Shadowsocks secure SOCKS 5 proxy (http://shadowsocks.org)
59
star
5

salt-rack

Sample Rack application Salt States that will install Nginx, Passenger, Ruby 1.9.3 + the Falcon Patch, Bundler, and git. They also demonstrate how to deploy a sample Rack application using Salt.
Scheme
57
star
6

ansible-ufw

Ansible role that installs and configures ufw, AKA The Uncomplicated Firewall (https://launchpad.net/ufw)
31
star
7

actually-automatic

Get notified whenever Apple releases a new iOS or macOS update or Rapid Security Response.
Ruby
12
star
8

ansible-mumble-server

Ansible role that installs and configures Murmur, the server component of the Mumble voice chat software (http://mumble.sourceforge.net/)
8
star
9

ansible-ruby-common

Ansible role that compiles and installs Ruby (https://www.ruby-lang.org) and Bundler (http://bundler.io). This role is generic enough to support any version of Ruby, and it is best used in conjunction with another role that supplies the required variables and that depends on this common base.
6
star
10

the-red-button

The Red Button enables you to quickly put a series of web applications into maintenance mode.
Ruby
4
star
11

ansible-ruby-2.1

Ansible role that compiles and installs Ruby 2.1 (https://www.ruby-lang.org) and Bundler (http://bundler.io).
4
star
12

Flock

Java
2
star
13

ansible-nitter

A simple Ansible playbook that sets up and configures a fully functional Nitter server.
Jinja
2
star
14

surespot-ios

ios surespot client
Objective-C
2
star
15

ansible-rtorrent

Ansible role that installs rTorrent (http://libtorrent.rakshasa.no), Screen, and a dedicated torrent user
2
star
16

ansible-rainy

Ansible role that sets up the Rainy open source synchronization server (http://dynalon.github.io/Rainy/#!index.md). Rainy works with Tomboy and Tomdroid and lets you access, organize, and edit your notes across devices.
1
star