Running docker-osx with unprivileged container user #145

New Issue

adam · 2025-12-28T23:26:10+01:00

adam commented

2025-12-28 23:26:10 +01:00

Originally created by @mviereck on GitHub (Mar 18, 2021).

Coming from https://github.com/mviereck/x11docker/issues/331, we might continue the discussion here on how docker-osx could be improved to integrate better with x11docker.

I am citing myself:

@sickcodes
Some improvements could be done within docker-osx:
Especially of interest is to allow an entirely unprivileged container user. Can be tested with docker run --cap-drop=all --security-opt=no-new-privileges [...]. Steps needed:

Avoid sudo
Use --group-add kvm --group-add audio instead of chown [...] /dev/kvm /dev/snd.
Set up an unprivileged sshd.

Working x11docker commands so far:

This commands runs with an entirely unprivileged container user (with x11docker's default --cap-drop=ALL --security-opt=no-new-privileges):
```
x11docker --share /dev/kvm --group-add kvm --alsa -- -p 50922:10022 -- sickcodes/docker-osx:latest
```
This command sets up a privileged container user allowing docker's default container capabilities (--cap-default) and running with container user arch. Otherwise failing with sshd errors:
```
x11docker --share /dev/kvm --group-add kvm --user=RETAIN --cap-default --alsa -- -p 50922:10022 -- sickcodes/docker-osx:auto
```

You can see the generated docker command if running x11docker with option --debug.

Originally created by @mviereck on GitHub (Mar 18, 2021). Coming from https://github.com/mviereck/x11docker/issues/331, we might continue the discussion here on how docker-osx could be improved to integrate better with x11docker. I am citing myself: @sickcodes Some improvements could be done within docker-osx: Especially of interest is to allow an entirely unprivileged container user. Can be tested with `docker run --cap-drop=all --security-opt=no-new-privileges [...]`. Steps needed: - Avoid `sudo` - Use `--group-add kvm --group-add audio` instead of `chown [...] /dev/kvm /dev/snd`. - Set up an [unprivileged sshd](https://serverfault.com/questions/344295/is-it-possible-to-run-sshd-as-a-normal-user). ------ Working x11docker commands so far: - This commands runs with an entirely unprivileged container user (with x11docker's default `--cap-drop=ALL --security-opt=no-new-privileges`): ``` x11docker --share /dev/kvm --group-add kvm --alsa -- -p 50922:10022 -- sickcodes/docker-osx:latest ``` - This command sets up a privileged container user allowing docker's default container capabilities (`--cap-default`) and running with container user `arch`. Otherwise failing with sshd errors: ``` x11docker --share /dev/kvm --group-add kvm --user=RETAIN --cap-default --alsa -- -p 50922:10022 -- sickcodes/docker-osx:auto ``` You can see the generated docker command if running x11docker with option `--debug`.

adam commented

2025-12-28 23:26:11 +01:00

@sickcodes commented on GitHub (Mar 18, 2021):

Thanks @mviereck I'll pump this out in the weekend. I've wanted to increase container security for some time now.

@sickcodes commented on GitHub (Mar 18, 2021): Thanks @mviereck I'll pump this out in the weekend. I've wanted to increase container security for some time now.

adam commented

2025-12-28 23:26:11 +01:00

@sickcodes commented on GitHub (Mar 21, 2022):

Implementing these today, thanks legend

@sickcodes commented on GitHub (Mar 21, 2022): Implementing these today, thanks legend

adam commented

2025-12-28 23:26:12 +01:00

@mviereck commented on GitHub (Mar 22, 2022):

I don't see new commits in your repo yet. If there are questions on this, just ask.

@mviereck commented on GitHub (Mar 22, 2022): I don't see new commits in your repo yet. If there are questions on this, just ask.

adam referenced this issue

2025-12-29 01:24:44 +01:00