Chapter 5. Locked-down, secure Firefox in a container
This section explains how to deploy a secure container that runs Firefox. This container gives you an instance of Firefox, containerized, with the following features:
- Completely unprivileged - needs no extra SELinux tweaking
- Only the list of cgroups is passed into the container from the host
- No port redirection because the container is available only to the host
- No X11 clipboard events or X events shared with your real host
- No shared sound hardware
- Everything runs with normal, non-elevated user permissions except for systemd (and systemd runs only to reap the other processes)
- unsynced sound, flash, and interactivity.
Running Firefox Securely in a Container
Retrieve the base image that we use to build this container:
$ curl -o Fedora-Docker-Base-22-20150521.x86_64.tar.xz -L https://download.fedoraproject.org/pub/fedora/linux/releases/22/Docker/x86_64/Fedora-Docker-Base-22-20150521.x86_64.tar.xz
Load the base image you just downloaded into the local Docker registry:
$ sudo docker load < Fedora-Docker-Base-22-20150521.x86_64.tar.xz
Create a directory to hold the Dockerfile that will map out this container:
$ mkdir -p isolated_firefox
Retrieve the Dockerfile by using this curl command:
$ curl -o isolated_firefox/Dockerfile -L http://pastebin.com/raw.php?i=cgYXQvJu
Build the container and tag it with a tag called
isolated_firefox:$ sudo docker build -t isolated_firefox isolated_firefox .
Run the container:
$ sudo docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro isolated_firefox
Retrieve the CONTAINER_ID by using the docker ps command:
$ sudo docker ps
Retrieve the IP address of the container:
$ sudo docker inspect CONTAINER_ID| grep IPAddress\":
Open the container in vncviewer:
$ vncviewer CONTAINER_IP
To hear the audio associated with this container, open a browser and go to the following location:
http://CONTAINER_IP:8000/firefox.ogg
NoteDo not forget to include the port in the URL. That means that you should not forget to type
:8000after the URL. You can also send the address of the container to VLC to play the content in VLC.Run the following command to launch the VLC instance:
$ vlc http://CONTAINER_IP:8000/firefox.ogg
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.