add new container env vars and hardening setup bookworm#93
Conversation
Because NVIDIA never does it correctly, we have to do this ourselves. - NVIDIA doesn't provide DRI3 support - NVIDIA never fixes this issue properly - NVIDIA likes to do things their own way - Top 3 public clouds are obsessed with NVIDIA, so we have no choice but to support it Ported from: https://github.com/selkies-project/docker-selkies-egl-desktop/blob/8dd03fba2a33ac774d61f46375a19ed1d9c5b51a/Dockerfile#L248-L264
|
I am a bot, here are the test results for this PR:
|
fix: nvidia-container-toolkit missing files when mounting to Docker
|
I am a bot, here are the test results for this PR:
|
|
I am a bot, here are the test results for this PR:
|
|
Is the plan to add the readme stuff to https://github.com/linuxserver/docker-jenkins-builder/blob/master/ansible/roles/documentation/templates/README_SNIPPETS/SELKIES.j2 for the downstream images? |
Yeah down the line but just base docs for now, let it get fully flushed out. |
github-project-automation
bot
moved this from PRs Ready For Team Review
to PRs Approved
in Issue & PR Tracker
3 participants
Fixes many bugs and adds many new environment variables:
Dashboard
DASHBOARD- allows the user to set their dashboard from current options selkies-dashboard selkies-dashboard-zinc selkies-dashboard-wish.File path
FILE_MANAGER_PATH- modifies the default upload/download file pathMeta Tags
HARDEN_DESKTOP- enablesDISABLE_OPEN_TOOLSDISABLE_SUDODISABLE_TERMINALSif unset by user app settingsSELKIES_FILE_TRANSFERSSELKIES_COMMAND_ENABLEDSELKIES_UI_SIDEBAR_SHOW_FILESSELKIES_UI_SIDEBAR_SHOW_APPSHARDEN_OPENBOX- enablesDISABLE_CLOSE_BUTTONDISABLE_MOUSE_BUTTONSHARDEN_KEYBINDSand flagsRESTART_APPif unset by user as the app needs to be auto restart without any kind of launch ability.Hardening env vars
DISABLE_OPEN_TOOLS- If set, disablesxdg-openandexo-openbinaries by removing their execute permissions.DISABLE_SUDO- If set, disables thesudocommand by removing its execute permissions and invalidating the passwordless sudo configuration.DISABLE_TERMINALS- If set, disables common terminal emulators by removing their execute permissions and hiding them from the Openbox right-click menu.DISABLE_CLOSE_BUTTON- If set, removes the close button from window title bars in the Openbox window manager.DISABLE_MOUSE_BUTTONS- If set, disables the right-click and middle-click context menus and actions within the Openbox window manager.HARDEN_KEYBINDS- If set, disables default Openbox keybinds that can bypass other hardening options (e.g.,Alt+F4to close windows,Alt+Escapeto show the root menu).RESTART_APP- If set, enables a watchdog service that automatically restarts the main application if it is closed. The user's autostart script is made read-only and root owned to prevent tampering.This allows single app containers to be locked to the app, when passing like
-e HARDEN_DESKTOP=trueand-e HARDEN_OPENBOX=trueto a container it becomes a single app instance that the client really cannot change anything about the container just stay in the app sandbox.example :
This all depends on the app but stuff like chromium uses xdg-open to open files or file managers so it really is isolated down to its base function and cannot spin up random bins from its file:// url scheme. Even extensions would be forced to use that standardized api as far as I understand it.