starred/Docker-OSX
1
0
Fork 0
mirror of https://github.com/sickcodes/Docker-OSX.git synced 2026-01-13 13:53:28 +01:00
Code Issues 411 Packages Projects Releases Wiki Activity

VNC Automated Image & Cloud Security #117

New Issue
Closed
opened 2025-12-28 23:25:06 +01:00 by adam · 6 comments
adam commented 2025-12-28 23:25:06 +01:00
Owner
Copy Link

Originally created by @sickcodes on GitHub (Feb 8, 2021).

Yesterday I prepared an image for hub.docker.com for the VNC image. Just before pushing the image, I was reminded as to why I did not include that image in the first place: using the VNC image securely.

VNC images have an 8 character password that unlocks an individuals Apple ID remotely.

They also operate over an unencrypted connection, meaning all remotely accessible image traffic is sent in plaintext.

I am going to release the VNC image with instructions on SSH tunneling so uses can safely use this image remotely but by first opening an SSH tunnel to their remote server, and subsequently connecting to the VNC server using the internal Docker IP, much rather than using the public IP of the server.

Since we've hit 50k docker pulls and Docker-OSX is a security product, end user security is a highly important topic that could undermine the integrity of the free software provided by Docker-OSX.

With that I may simply add VNC to all of the images, particularly the :naked ephemeral image which I use exclusively myself now on locally persistent disk images.

Originally created by @sickcodes on GitHub (Feb 8, 2021). Yesterday I prepared an image for hub.docker.com for the VNC image. Just before pushing the image, I was reminded as to why I did not include that image in the first place: using the VNC image securely. VNC images have an 8 character password that unlocks an individuals Apple ID remotely. They also operate over an unencrypted connection, meaning all remotely accessible image traffic is sent in plaintext. I am going to release the VNC image with instructions on SSH tunneling so uses can safely use this image remotely but by first opening an SSH tunnel to their remote server, and subsequently connecting to the VNC server using the internal Docker IP, much rather than using the public IP of the server. Since we've hit 50k docker pulls and Docker-OSX is a security product, end user security is a highly important topic that could undermine the integrity of the free software provided by Docker-OSX. With that I may simply add VNC to all of the images, particularly the `:naked` ephemeral image which I use exclusively myself now on locally persistent disk images.
adam added the enhancementdocumentation labels 2025-12-28 23:25:06 +01:00
adam closed this issue 2025-12-28 23:25:06 +01:00
adam commented 2025-12-28 23:25:07 +01:00
Author
Owner
Copy Link

@sickcodes commented on GitHub (Feb 8, 2021):

More to the point, users who are already familiar with SSH tunneling include users who have done the following:

  • accessed an AWS server before using ssh -i key server port:127.0.0.1:port or sans -i key and storing SSH config in ~/.ssh/config
  • used Remote Desktop with SSH tunneling connections
  • accessed remote psql servers using SSH tunneling
  • used a VPN to access private range IPs before, for example, 10.0.0.2

More appropriately, I can write a shell file to output an RDP file locally, or via stdout, that a user can easily import into their RDP/VNC client of choice to access their server by double clicking on the file; allows seamlessly importing of a Docker-OSX instance into clients like Remmina.

This would also rapidly allow users to trivially conduct Docker-OSX research via their mobile phone, tablet etc.

@sickcodes commented on GitHub (Feb 8, 2021): More to the point, users who are already familiar with SSH tunneling include users who have done the following: - accessed an AWS server before using `ssh -i key server port:127.0.0.1:port` or sans `-i key` and storing SSH config in `~/.ssh/config` - used Remote Desktop with SSH tunneling connections - accessed remote psql servers using SSH tunneling - used a VPN to access private range IPs before, for example, `10.0.0.2` More appropriately, I can write a shell file to output an RDP file locally, or via stdout, that a user can easily import into their RDP/VNC client of choice to access their server by double clicking on the file; allows seamlessly importing of a Docker-OSX instance into clients like Remmina. This would also rapidly allow users to trivially conduct Docker-OSX research via their mobile phone, tablet etc.
adam commented 2025-12-28 23:25:07 +01:00
Author
Owner
Copy Link

@sickcodes commented on GitHub (Mar 4, 2021):

Here's some VNC notes for connecting to any of the normal images.

  1. Make sure you have a firewall on your server.
  2. Close port 50922 and 5999 and 5900, or just don't open them.

On the server:

sudo apt update -y \
    && sudo apt install xorg openbox tigervnc-standalone-server tigervnc-common tigervnc-xorg-extension tigervnc-viewer -y \
    && mkdir -p ${HOME}/.vnc \
    && touch ~/.vnc/config \
    && tee -a ~/.vnc/config <<< 'geometry=1920x1080' \
    && tee -a ~/.vnc/config <<< 'localhost' \
    && tee -a ~/.vnc/config <<< 'alwaysshared' \
    && touch vnc.sh \
    && printf '\n%s\n' \
    'sudo rm -f /tmp/.X99-lock' \
    'export DISPLAY=:99' \
    '/usr/bin/Xvnc -geometry 1920x1080 -rfbauth "${HOME}/.vnc/passwd" :99 &' > vnc.sh \
    && tee vncpasswd_file <<< "${VNC_PASSWORD:=$(openssl rand -hex 4)}" \
    && vncpasswd -f < vncpasswd_file > ${HOME}/.vnc/passwd \
    && chmod 600 ~/.vnc/passwd \
    && apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system bridge-utils virt-manager -y \
    && sudo systemctl enable libvirtd.service \
    && sudo systemctl enable virtlogd.service \
    && echo 1 | sudo tee /sys/module/kvm/parameters/ignore_msrs \
    && sudo modprobe kvm \
    && echo 'export DISPLAY=:99' >> ~/.bashrc
    && export DISPLAY=:99 \
    && printf '\n\n\n\n%s\n%s\n\n\n\n' '===========VNC_PASSWORD========== ' "$(<vncpasswd_file)"
    && nohup bash vnc.sh &

# then run whatever docker command you like from the repo.

On your PC

# connect remotely to your server, opening a secure SSH tunnel on port 5999 to the server.
ssh -N root@111.111.111.111 -L  5999:127.0.0.1:5999

# open VNC on your computer and connect to localhost 
localhost:5999

# start vnc on reboots
echo '@reboot nohup bash vnc.sh &' | crontab

TIP: turn the quality down on your VNC client or it will be laggy as heck!

@sickcodes commented on GitHub (Mar 4, 2021): Here's some VNC notes for connecting to any of the normal images. 1. Make sure you have a firewall on your server. 2. Close port 50922 and 5999 and 5900, or just don't open them. On the server: ```bash sudo apt update -y \ && sudo apt install xorg openbox tigervnc-standalone-server tigervnc-common tigervnc-xorg-extension tigervnc-viewer -y \ && mkdir -p ${HOME}/.vnc \ && touch ~/.vnc/config \ && tee -a ~/.vnc/config <<< 'geometry=1920x1080' \ && tee -a ~/.vnc/config <<< 'localhost' \ && tee -a ~/.vnc/config <<< 'alwaysshared' \ && touch vnc.sh \ && printf '\n%s\n' \ 'sudo rm -f /tmp/.X99-lock' \ 'export DISPLAY=:99' \ '/usr/bin/Xvnc -geometry 1920x1080 -rfbauth "${HOME}/.vnc/passwd" :99 &' > vnc.sh \ && tee vncpasswd_file <<< "${VNC_PASSWORD:=$(openssl rand -hex 4)}" \ && vncpasswd -f < vncpasswd_file > ${HOME}/.vnc/passwd \ && chmod 600 ~/.vnc/passwd \ && apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system bridge-utils virt-manager -y \ && sudo systemctl enable libvirtd.service \ && sudo systemctl enable virtlogd.service \ && echo 1 | sudo tee /sys/module/kvm/parameters/ignore_msrs \ && sudo modprobe kvm \ && echo 'export DISPLAY=:99' >> ~/.bashrc && export DISPLAY=:99 \ && printf '\n\n\n\n%s\n%s\n\n\n\n' '===========VNC_PASSWORD========== ' "$(<vncpasswd_file)" && nohup bash vnc.sh & # then run whatever docker command you like from the repo. ``` On your PC ```bash # connect remotely to your server, opening a secure SSH tunnel on port 5999 to the server. ssh -N root@111.111.111.111 -L 5999:127.0.0.1:5999 # open VNC on your computer and connect to localhost localhost:5999 # start vnc on reboots echo '@reboot nohup bash vnc.sh &' | crontab ``` TIP: turn the quality down on your VNC client or it will be laggy as heck!
adam commented 2025-12-28 23:25:08 +01:00
Author
Owner
Copy Link

@JamesCullum commented on GitHub (Mar 10, 2021):

It would be great to have an image with VNC preinstalled.
Regarding your security worries - I think most users will run the container locally and don't need to worry about either.
For the server, the port would only be exposed if the user actively opens it up, as this is currently not documented.
Writing a note on the instructions about the dangers of an insecure VNC connection should be sufficient (or don't mention it and write it a bit more hidden, so that people do it less by accident).

@JamesCullum commented on GitHub (Mar 10, 2021): It would be great to have an image with VNC preinstalled. Regarding your security worries - I think most users will run the container locally and don't need to worry about either. For the server, the port would only be exposed if the user actively opens it up, as this is currently not documented. Writing a note on the instructions about the dangers of an insecure VNC connection should be sufficient (or don't mention it and write it a bit more hidden, so that people do it less by accident).
adam commented 2025-12-28 23:25:08 +01:00
Author
Owner
Copy Link

@sickcodes commented on GitHub (Mar 10, 2021):

This is a better version of the existing VNC dockerfile because you can use any image. I am not updating the VNC one currently because all of the other images support VNC anyway:

# on the remote server
sudo apt update -y \
    && sudo apt install xorg openbox tigervnc-standalone-server tigervnc-common tigervnc-xorg-extension tigervnc-viewer -y \
    && mkdir -p ${HOME}/.vnc \
    && touch ~/.vnc/config \
    && tee -a ~/.vnc/config <<< 'geometry=1920x1080' \
    && tee -a ~/.vnc/config <<< 'localhost' \
    && tee -a ~/.vnc/config <<< 'alwaysshared' \
    && touch vnc.sh \
    && printf '\n%s\n' \
    'sudo rm -f /tmp/.X99-lock' \
    'export DISPLAY=:99' \
    '/usr/bin/Xvnc -geometry 1920x1080 -rfbauth "${HOME}/.vnc/passwd" :99 &' > vnc.sh \
    && tee vncpasswd_file <<< "${VNC_PASSWORD:=$(openssl rand -hex 4)}" \
    && vncpasswd -f < vncpasswd_file > ${HOME}/.vnc/passwd \
    && chmod 600 ~/.vnc/passwd \
    && apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system bridge-utils virt-manager -y \
    && sudo systemctl enable libvirtd.service \
    && sudo systemctl enable virtlogd.service \
    && echo 1 | sudo tee /sys/module/kvm/parameters/ignore_msrs \
    && sudo modprobe kvm \
    && echo 'export DISPLAY=:99' >> ~/.bashrc
    && printf '\n\n\n\n%s\n%s\n\n\n\n' '===========VNC_PASSWORD========== ' "$(<vncpasswd_file)"
    && nohup bash vnc.sh &

export DISPLAY=:99

# then run whatever docker command you like from the repo!

Then on your local PC open a highly secure SSH tunnel without exposing any ports remotely to the server:

ssh -N root@xx.xx.xx.xx -L  5999:127.0.0.1:5999

Open VNC at localhost:5999 using the password which will be printed above in the console of the remote host

@sickcodes commented on GitHub (Mar 10, 2021): This is a better version of the existing VNC dockerfile because you can use any image. I am not updating the VNC one currently because all of the other images support VNC anyway: ```bash # on the remote server sudo apt update -y \ && sudo apt install xorg openbox tigervnc-standalone-server tigervnc-common tigervnc-xorg-extension tigervnc-viewer -y \ && mkdir -p ${HOME}/.vnc \ && touch ~/.vnc/config \ && tee -a ~/.vnc/config <<< 'geometry=1920x1080' \ && tee -a ~/.vnc/config <<< 'localhost' \ && tee -a ~/.vnc/config <<< 'alwaysshared' \ && touch vnc.sh \ && printf '\n%s\n' \ 'sudo rm -f /tmp/.X99-lock' \ 'export DISPLAY=:99' \ '/usr/bin/Xvnc -geometry 1920x1080 -rfbauth "${HOME}/.vnc/passwd" :99 &' > vnc.sh \ && tee vncpasswd_file <<< "${VNC_PASSWORD:=$(openssl rand -hex 4)}" \ && vncpasswd -f < vncpasswd_file > ${HOME}/.vnc/passwd \ && chmod 600 ~/.vnc/passwd \ && apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system bridge-utils virt-manager -y \ && sudo systemctl enable libvirtd.service \ && sudo systemctl enable virtlogd.service \ && echo 1 | sudo tee /sys/module/kvm/parameters/ignore_msrs \ && sudo modprobe kvm \ && echo 'export DISPLAY=:99' >> ~/.bashrc && printf '\n\n\n\n%s\n%s\n\n\n\n' '===========VNC_PASSWORD========== ' "$(<vncpasswd_file)" && nohup bash vnc.sh & export DISPLAY=:99 # then run whatever docker command you like from the repo! ``` Then on your local PC open a highly secure SSH tunnel without exposing any ports remotely to the server: ``` ssh -N root@xx.xx.xx.xx -L 5999:127.0.0.1:5999 ``` Open VNC at `localhost:5999` using the password which will be printed above in the console of the remote host
adam commented 2025-12-28 23:25:08 +01:00
Author
Owner
Copy Link

@sickcodes commented on GitHub (Mar 10, 2021):

It would be great to have an image with VNC preinstalled.

Regarding your security worries - I think most users will run the container locally and don't need to worry about either.

For the server, the port would only be exposed if the user actively opens it up, as this is currently not documented.

Writing a note on the instructions about the dangers of an insecure VNC connection should be sufficient (or don't mention it and write it a bit more hidden, so that people do it less by accident).

I just realized I sent the same VNC stuff twice 😂 here's the security note btw: https://github.com/sickcodes/Docker-OSX/blob/master/vnc-version/Dockerfile#L56

Not huge but it's there, I'm big on security so I'll come up with some solutions this week

@sickcodes commented on GitHub (Mar 10, 2021): > It would be great to have an image with VNC preinstalled. > > Regarding your security worries - I think most users will run the container locally and don't need to worry about either. > > For the server, the port would only be exposed if the user actively opens it up, as this is currently not documented. > > Writing a note on the instructions about the dangers of an insecure VNC connection should be sufficient (or don't mention it and write it a bit more hidden, so that people do it less by accident). I just realized I sent the same VNC stuff twice 😂 here's the security note btw: https://github.com/sickcodes/Docker-OSX/blob/master/vnc-version/Dockerfile#L56 Not huge but it's there, I'm big on security so I'll come up with some solutions this week
adam commented 2025-12-28 23:25:09 +01:00
Author
Owner
Copy Link

@sickcodes commented on GitHub (Mar 24, 2021):

Scrap all of the above, proper qemu VNC added here:

https://github.com/sickcodes/Docker-OSX#i-need-vnc-to-a-remote-host-secure

@sickcodes commented on GitHub (Mar 24, 2021): Scrap all of the above, proper qemu VNC added here: https://github.com/sickcodes/Docker-OSX#i-need-vnc-to-a-remote-host-secure
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
documentation
enhancement
following upstream developments
good first issue
help wanted
invalid
pull-request
Mirrored from GitHub Pull Request
 question
No Label documentation enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/Docker-OSX#117
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?