Kasm - Virtual Desktop / Browser Isolation
-
@robi No, I can see how it can load desktops and such - it's the way the server backend is installed - using multiple different containers that one app can't use on it's own without Cloudron adding a new "addon"
-
@murgero this sounds like a perfect use case for Sysbox.
That way a full machine image can be installed with Kasm to have access and control over all the containers.
Docker in docker, the outer one managed by Cloudron, the inner one by Kasm.
-
@robi Kasm already supports full desktops in docker - or it at least gives the illusion of it.
-
@murgero I am aware
hence my comment.
if you want to split the bounty on this one, I'll help with Sysbox.
-
@robi I'd love to - I just don't know where to start tbh
-
I would start with the outer part, which means helping the Cloudron team integrate Sysbox.
It would require a new base container image that runs with a new container runtime (sysbox) instead of the default. This is just an extra parameter in the docker run command.
$ docker run --runtime=sysbox-runc -it some-image
All else stays the same.
In this container, you can now run Systemd, Docker, Kubernetes, etc., just like you would on a physical host or virtual machine. You can launch inner containers (and even inner privileged containers), knowing that the outer container is strongly isolated from the underlying host (via the Linux user-namespace). No more complex docker images or docker run commands, and no need for unsecure privileged containers.
-
@robi It would be more ideal to get the Kasm devs to also give a build not reliant on docker - so we can dockerize it ourselfs, or at least I would think that way anyway.
Sysbox is pretty cool but I'm sure that would require a complete overhaul of current code?
-
I am going to disagree here. The docker solution is elegant and doesn't pollute the filesystem with lots of X libraries and other junk.
In fact the sysbox-runc is more secure than the current one, hence if Cloudron decided to use it, all it would take is a one parameter addition.
--runtime=sysbox-runc
no overhaul required.
-
@robi Oh wow - if that's the case then it definitely is at least worth more research and discussion.
-