running firefox in a container

I am standing here at the LinuxTag 2010 event, so if you are in Berlin this week come to our booth to say hello (and maybe recommend a local beer place to go).

One visitor asked me if it's possible to run Firefox inside a container (with the main purpose to browse insecure sites). Yes, it is possible, there are two ways -- using Xvnc and SSH's X forwarding. I just implemented it here (using the latter way), and want to share the experience, because there are a few rough edges here and there.

We start with the "vanilla" Fedora 12 template:
vzctl create 777 --ostemplate fedora-12-x86
vzctl start 777

Next thing to do is to make the container access the network. It can be done in different ways, here I used the NAT technique described in wiki, so I am skipping this part here. Just do not forget to set up the nameserver entry in container's /etc/resolv.conf.

At this point you already have an Internet available in container, let's check it:
vzctl exec 777 ping -c 1 openvz.org

OK, now it's time to install firefox and other needed stuff. Besides firefox itself and its dependcies, you need xauth (for ssh forwarding to work) and some fonts that firefox will use:
vzctl exec 777 yum install firefox xauth liberation\*fonts
This command will result in downloading and installing about 100 packages or so, thus it's a perfect time to enjoy some tea.

Next thing to do is to enable X forwarding inside the container:
vzctl exec 777 sed 's/^.*X11Forwarding .*$/X11Forwarding yes/'
vzctl exec 777 /etc/init.d/sshd restart

Now, set up a user account in CT to run firefox:
vzctl set 777 --userpasswd ffox:mysecpass

All right, time to actually run firefox. But first make sure you do not have it runnng locally, because if you do, remote firefox will just open up a new window of your already running firefox instance. So,
killall -TERM firefox
ssh -Y x.x.x.x dbus-launch firefox

Oh yes, we need dbus-launch here because otherwise firefox complains that it is not able to find machine uuid or something -- apparently nowdays Firefox can't be happy without dbus.

That's pretty much it. Enjoy.



Jun. 10th, 2010 03:32 pm (UTC)
GUI Containers
The method you did was a very light-weight way to access just Firefox, but what about a complete desktop environment or even multiple desktop environments with lots and lots of apps?

Kir, I'm sure you are familiar with the process but for those who might not be, I just wanted to mention that I routinely build GUI OS Templates.

I've built GUI OS Templates for Fedora 7, 8, 9, 10, 11, and 12 as well as for CentOS 4 and 5. I don't upload them to the contrib area because they are so big (about 1.5 - 2GB). As you mentioned they can be accessed via X11 tunneled through SSH or vnc.

