Kasm - Virtual Desktop / Browser Isolation
-
I would start with the outer part, which means helping the Cloudron team integrate Sysbox.
It would require a new base container image that runs with a new container runtime (sysbox) instead of the default. This is just an extra parameter in the docker run command.
$ docker run --runtime=sysbox-runc -it some-imageAll else stays the same.
In this container, you can now run Systemd, Docker, Kubernetes, etc., just like you would on a physical host or virtual machine. You can launch inner containers (and even inner privileged containers), knowing that the outer container is strongly isolated from the underlying host (via the Linux user-namespace). No more complex docker images or docker run commands, and no need for unsecure privileged containers.
@robi said in Kasm - Virtual Desktop / Browser Isolation:
I would start with the outer part, which means helping the Cloudron team integrate Sysbox.
It would require a new base container image that runs with a new container runtime (sysbox) instead of the default. This is just an extra parameter in the docker run command.
$ docker run --runtime=sysbox-runc -it some-imageAll else stays the same.
In this container, you can now run Systemd, Docker, Kubernetes, etc., just like you would on a physical host or virtual machine. You can launch inner containers (and even inner privileged containers), knowing that the outer container is strongly isolated from the underlying host (via the Linux user-namespace). No more complex docker images or docker run commands, and no need for unsecure privileged containers.
Thanks. Would this container need any modifications to enable it to run init daemons, like OpenRC, Dinit, s6, runit, SysVinit, and Upstart?
-
Kasm could be a great asset to add to Cloudron for sure.
And, if it would be easier to integrate with Sysbox first on Cloudron, be it known as well that Docker has acquired Sysbox in May 2022. -
I have a VPS running Kasm.
Works very well. But I only use it occasionally so would be great to have it on Cloudron, and I can get rid of a VPS.
Slightly tricky install depending on what version of Ubuntu it runs on and whether it supports some library. But other than that, very nice. -
Yes its a good application but very resource intensive workspace so i hosted it separately but their was a proxy issue and was not working so for the timebeing i used nginx proxy manager but @girish released a patch in the last update 7.60. Now all is good and i am using it withing cloudron and also used cloudron ODIC integration it was long weekend night but well spent.
-
Yes its a good application but very resource intensive workspace so i hosted it separately but their was a proxy issue and was not working so for the timebeing i used nginx proxy manager but @girish released a patch in the last update 7.60. Now all is good and i am using it withing cloudron and also used cloudron ODIC integration it was long weekend night but well spent.
@DualOSWinWiz have any specific docs that would save us some time that you could share?
-
@DualOSWinWiz have any specific docs that would save us some time that you could share?
@plusone-nick What type of infrastructure you have? On site or in cloud?
-
@plusone-nick What type of infrastructure you have? On site or in cloud?
-
@DualOSWinWiz both
@plusone-nick do you a repo for Kam on Cloudron that you can share ?
-
@plusone-nick do you a repo for Kam on Cloudron that you can share ?
@timconsidine nope sorry never dug into it too much
-
@savity As much as i would love to see this or even something similar on Cloudron I don't believe there is any current development happening so i would not get hopes up. Going to have to find another implementation solution for this ONE for now...
-
I use Kasm and I like it, but I would describe it as a βslippery slopeβ.
It can be a resource hog if you have multiple workspaces running. Maybe if itβs just one solo user running only one workspace at a time, itβs viable from resources point of view on a Cloudron host.
But if you have one user running multiple workspaces or multiple users, it quickly merits being on its own VPS (which is how I have deployed it).
So yes, concept Kasm on Cloudron is appealing, in practice better to deploy separately, so packaging work for Cloudron maybe not realistic application of effort. -
Yes, I would see the resource usage as a critical topic here. I think it is easier to run https://forum.cloudron.io/topic/7380/webtop-dockerised-linux-desktop-in-a-browser?_=1718484389586 in a container and then add cloudron proxy auth infront of it. webtop uses the same project (kasmvnc) for the rendering in the browser. this is then essentially single user, but you can repeat the container part multiple times for different users.
-
BTW I have built something similar with Apache Guacamole (on the app store) and a local Ubuntu XFCE Docker. Although not recommended, if you configure the network for such Docker correctly, you should have no interference with Cloudron.
If anyone is interested, I can put up a guide (and if staff doesnβt disagree) -
@robi said in Kasm - Virtual Desktop / Browser Isolation:
I would start with the outer part, which means helping the Cloudron team integrate Sysbox.
It would require a new base container image that runs with a new container runtime (sysbox) instead of the default. This is just an extra parameter in the docker run command.
$ docker run --runtime=sysbox-runc -it some-imageAll else stays the same.
In this container, you can now run Systemd, Docker, Kubernetes, etc., just like you would on a physical host or virtual machine. You can launch inner containers (and even inner privileged containers), knowing that the outer container is strongly isolated from the underlying host (via the Linux user-namespace). No more complex docker images or docker run commands, and no need for unsecure privileged containers.
Thanks. Would this container need any modifications to enable it to run init daemons, like OpenRC, Dinit, s6, runit, SysVinit, and Upstart?
@LoudLemur said in Kasm - Virtual Desktop / Browser Isolation:
@robi said in Kasm - Virtual Desktop / Browser Isolation:
...
Thanks. Would this container need any modifications to enable it to run init daemons, like OpenRC, Dinit, s6, runit, SysVinit, and Upstart?No, other than installing the init services. That's why it's a new, different or user supplied (docker) base image that already has these installed.
Very flexible once you escape the regular docker runc limitations.
You can run an entirely different distro if you want to.
-
I have Kasm running behind a Cloudron reverse proxy and connected to Cloudron's OIDC directory for user authentication. It was pretty straightforward to set up, but if anyone wants/needs a written guide, I am happy to do so.
