This article is an automatic translation of the article[9e42bfa668c381f9af23] below.
https://qiita.com/speaktech/items/9e42bfa668c381f9af23
What I did
I started Chromium in a container on Docker for Windows and transferred Chromium windows and sounds to my host OS, Windows 10.
We transferred windows and sounds from Chromium on the container in the following way.
-Transfer window
** X Window System (X11) **
-Transfer of sound
Image.png ** PulseAudio **
Conceptual diagram
Operating environment
-Windows 10 Pro version 1803, build 17134.706
-Docker Desktop version 2.0.0.3 (31259), build: 8858db3
-Docker Engine version 18.09.2, build 6247962
Way
1. Preparation on host OS (Windows 10) side
1.1. Introducing X11 Server
1.1.1. Installation of X11 Server
Install X11 Server on Windows 10 to receive windows on the container.
Here, we use VcXsrv as the X11 Server. I will post the site I gave you reference for installation. (I am sorry in the form of round throw)
-VcXsrv download site
-The site referred to when installing VcX srv"Install X server on WSL to realize GUI (Vc X srv edition)"
1.1.2. Start the X11 Server
Start VcXsrv from"XLaunch"on the desktop. (Select all [Next] and press [Finish] to be OK)
If the VcXsrv icon is displayed in the task tray, it is running.
Image.png
1.2. Introducing PulseAudio for Windows
1.2.1. Installing PulseAudio for Windows
Download the zip file by selecting"zipfile containing preview previews"from PulseAudio on Windows download site Unzip to an arbitrary place.
1.2.2. Settings for PulseAudio for Windows
-Edit"etc\pulse\default.pa"
| Line 42 | Settings |
|---|---|
| Before change | load-module module-waveout sink_name = output source_name = input |
| After change | load-module module-waveout sink_name = output source_name = input ** record = 0 ** |
| Line 61 | Settings |
|---|---|
| Before change | ** # ** load-module module-native-protocol-tcp |
| After change | load-module module-native-protocol-tcp ** auth-ip-acl = 127.0.0.1 ** |
-Edit"etc\pulse\daemon.conf"
| Line 39 | Settings |
|---|---|
| Before change | *; * exit-idle-time = 20 |
| After change | exit-idle-time = *-1 * |
1.2.3. Launch PulseAudio for Windows
Place the following batch file in the same hierarchy as the decompressed"pulseaudio-1.1"folder and execute it.
@echo off
cd /d %~dp0
powershell -NoProfile -Command Start-Process -WindowStyle Minimized '.\pulseaudio-1.1\bin\pulseaudio.exe'
If the following command prompt is displayed, it is running. (You can stop with"Ctrl + C")
** If you are asked for permission from Windows Firewall, please do so. **
image.png
2. Create Docker Image
2.1. Setting environment of X11
Set the environment variable DISPLAY in Dockerfile as follows:
ENV DISPLAY=host.docker.internal:0.0
2.2. Pulseaudio Preferences
Set the environment variable PULSE_SERVER in the Dockerfile as follows:
ENV PULSE_SERVER=tcp:host.docker.internal:4713
Also, register PulseAudio (Virtual Sound Card) as ALSA's default sound card.
{ \
echo "pcm.default pulse"; \
echo "ctl.default pulse"; \
} | tee ~chrome/.asoundrc \
&& chown -R chrome:chrome /home/chrome
2.3 Dockerfile sample
The following Docker files were created based on zenika/alpine-chrome.
# Credit goes to Zenika (https://github.com/Zenika/alpine-chrome/blob/master/Dockerfile)
FROM alpine:latest
# Installs latest Chromium package.
RUN echo @edge http://nl.alpinelinux.org/alpine/edge/community >> /etc/apk/repositories \
&& echo @edge http://nl.alpinelinux.org/alpine/edge/main >> /etc/apk/repositories \
&& apk add --no-cache \
chromium@edge \
harfbuzz@edge \
nss@edge \
freetype@edge \
ttf-freefont@edge \
mesa-gl \
pulseaudio \
pulseaudio-libs \
alsa-plugins-pulse@edge \
bash \
&& wget https://noto-website.storage.googleapis.com/pkgs/NotoSansCJKjp-hinted.zip \
&& mkdir -p /usr/share/fonts/NotoSansCJKjp \
&& unzip NotoSansCJKjp-hinted.zip -d /usr/share/fonts/NotoSansCJKjp/ \
&& chmod 644 /usr/share/fonts/NotoSansCJKjp/*.otf \
&& rm NotoSansCJKjp-hinted.zip \
&& fc-cache -fv
# Add user so we don't need --no-sandbox.
RUN addgroup -S chrome \
&& adduser -S -G chrome chrome \
&& mkdir -p /home/chrome/Downloads \
&& { \
echo "pcm.default pulse"; \
echo "ctl.default pulse"; \
} | tee /home/chrome/.asoundrc \
&& chown -R chrome:chrome /home/chrome
# Run Chrome as non-privileged
USER chrome
WORKDIR /home/chrome
ENV CHROME_BIN=/usr/bin/chromium-browser
ENV CHROME_PATH=/usr/lib/chromium/
ENV DISPLAY=host.docker.internal:0.0
ENV PULSE_SERVER=tcp:host.docker.internal:4713
# Autorun chrome
ENTRYPOINT ["chromium-browser", "--disable-gpu", "--disable-software-rasterizer", "--disable-dev-shm-usage"]
Build 2.4
docker build -t speaktech/secure-browser:1.0 .
3. Execution of container
seccomp profile (chrome to follow the guidance of zenika/alpine-chrome and to use Chromium's sandobox function with limited privileges .json).
Invoke-WebRequest -Uri https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json -OutFile chrome.json
docker run -it --rm --security-opt seccomp=$(pwd)/chrome.json speaktech/secure-browser:1.0
When you run the container, Chromium starts on Windows 10. If you can confirm that the audio is transferred to Windows 10 on Youtube etc., you're done.
4. Lastly, why did you decide to do it?
Can you provide a secure browser environment by having the container execute access to the Internet? I thought, I tried.
Every time the browser is closed, the container is deleted, so the risk of information leak after virus infection is reduced.
In addition, by using Windows Firewall to limit communication from containers to only window/sound transfer, we believe that the risk of virus infection of host OS can be reduced.
The drawback is that the sound is shifted slightly due to the asynchronous transfer of the window and the sound. (** As an individual, it is within the acceptable range of **)
I will conclude with a deep impression that"I feel that I can browse various sites more safely now."
Thank you for reading to the end.