Running Browser in a Container with LXC

versatile 64-bit multi-user Linux distribution

Moderators: kirk, jamesbond, p310don, JakeSFR, step, Forum moderators

user1111

Re: Running Browser in a Container with LXC

Post by user1111 »

This is a fuller version. Save it as container.sh in /root and run it from there with fd64.sfs loaded into memory.

It's what I'm running presently so does have specific tweaks, such as lockstate having been installed from gslapt, my own choice of wallpaper.png in /usr/share/backgrounds/wallpaper.png, google chrome installed ..etc.

In the .jwmrc config near the end the key bindings are different to usual, a new set for me that I'm trying where ctrl-space launches the main menu, alt-space launches the bookmark menu and where WIN-space pressed when a window is active shows the window menu. WIN+ ... keys are also being used to control windows such as WIN+f to fullscreen the window, WIN+tab to step between windows. Those keybindings do require that the Xephyr hostgrab is in the locked state, otherwise keybindings from the main session apply. In the tray I have a L and U icon to show the hostgrab state, alongside capslock and the CPU temperature icons. Battery level and xload are also shown.

d.jpg
d.jpg (118.16 KiB) Viewed 1970 times

In the tray a right click of the date/time also shows the menu, like a menu button, Right click toggles show/hide desktop.

For closure, the script waits for it to end and tidies up things, so each/any way that its closed results in clean closure.

No rox pinboard in that, just jwm. Contains additional scripts for playing youtubes where the url has been copied to the clipboard (avoids ads), and another for screen recording. Various config files are also contained within the script and are 'sed' out of the file as it runs, a caution there is that if a later version of those programs is installed, then the config files may be of a different format.

Basically works for me but isn't generic, your mileage will likely differ.

Also just uses solely DISPLAY=:2, a single container only use.

Code: Select all

#!/bin/bash

########################## Change these as appropriate ##########################
MAIN_SFS=/aufs/pup_ro    #   Often will be able to use this, but can also use ...
#MAIN_SFS=/mnt/sda1/FATDOG811-FINAL/fd64.sfs  # Where our main fd64.sfs is stored
ROUTER_IP=192.168.100.1  #        We iptables block access to our router admin IP
SHARED=/root/shared      #    Main systems shared folder (/root/shared in Xephyr)
CONTAINER_LOC=/container # Empty or non-existent folder (as it's removed on exit)

CHANGES=/changes         #              Where aufs layered 'changes' are recorded

USE_RAM=1

                         #      Locked/unlocked host-grab (ctrl-shift) state icon
TRAYICON=notball         #   "ball" = ball tray icon, anything else = button icon

                         # I have dissenter browser installed into fd64.sfs, more
                         #              usually seamonkey is the fd64.sfs default

BROWSER="/opt/google/chrome/chrome --test-type --no-sandbox"

REDTHRESHOLD=66          #     Threshhold at which tray cpu temperature turns red
                         #    My E 7010 AMD laptop typically runs at around 55 at
                         #  idle during winter months. Rises to around 65 degrees
                         #   under higher load. In its specs it indicates 90 max.
#################################################################################

# We include a number of 'files' appended at the end of the script that we sed
#    extract to where they're needed, this stores where this script is located
SCRIPTPATH=$( cd $(dirname "$0") >/dev/null 2>&1 ; pwd -P )

       #  We bind both sound/mixer and video so can use the likes of guvcview but
       # you may prefer to not include those for secure sound and video isolation

XEPHYR="-fullscreen -name Xephyr2 -dpi 144 -nolisten tcp"
MOUNTS="--mount=bind:${SHARED}:/root/shared \
        --mount=bind:/dev/video:/dev/video \
        --mount=bind:/dev/video:/dev/video0 \
        --mount=bind:/dev/video:/dev/video1 \
        --mount=bind:/dev/snd:/dev/snd \
        --mount=bind:/dev/mixer:/dev/mixer"
CAPS="--caps=all,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,\
-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,\
-setpcap,-net_admin,-mknod,-sys_module,-sys_nice,-sys_resource"
PFLASK="--keepenv --no-ipcns --no-netns ${MOUNTS} ${CAPS} \
        --chroot=${CONTAINER_LOC}/top"

       #   Originally used straight ball blue and green colours for the tray .svg
       #  Now updated to use a more button like tray .svg ... used in _trayicon()
SVG_PREFIX="<svg height=\"32\" width=\"32\"><circle cx=\"16\" cy=\"16\" \
r=\"16\" stroke=\"black\" stroke-width=\"3\""
SVG_SUFFIX="/></svg>"
BLUESVG="${SVG_PREFIX} fill=\"#54F3FF\" ${SVG_SUFFIX}"
GREENSVG="${SVG_PREFIX} fill=\"#4FF40A\" ${SVG_SUFFIX}"
HOST_GRAB_TIP="Xephyr Ctrl Shift mouse/keyboard \
focus toggle. Green=(U)nlocked, Blue=(L)ocked"
HOST_GRAB_IMG="/tmp/.container-img.svg"
HG="top/tmp/.hostgrab"
CLICKMSG="Use Ctrl-shift key combination to toggle the Xephyr (containers)
mouse and keyboard focus between locked (blue) and unlocked (green)

Note that locked or unlocked makes no difference to actual security its just a
operational function - such as if 'locked' (blue) then alt-tab will step between
windows within the Xephyr container or if 'unlocked' (green) alt-tab will step
through the main sessions windows of which the Xephyr 'window' will be just one"
CLICK="Xdialog --title 'keyboard/mouse focus information ' \
--msgbox '${CLICKMSG}' 0 0"
REQUIRES="This script requires a number of additional programs
to have been installed (gslapt) : xclip, xdotool and wmctrl"

_screenrecorder() {
                                 # Not required, but useful screen recorder command
cat <<EOF >top/usr/bin/screenrecord
#!/bin/bash

DISPLAY=2     # Usually 0 but I run a container on :2
X=1366        # Display X width
Y=768         # Display Y height
FRAMERATE=20  # Min of 20, 30 is a good choice

ffmpeg -video_size \${X}X\${Y} -framerate \${FRAMERATE} \\
  -f x11grab -i :\${DISPLAY}.0+0,0 -c:v libx264rgb -crf 0 \\
  -preset ultrafast /root/screencap.mkv

EOF
chmod +x top/usr/bin/screenrecord
}
 
_ytplayer() {                                      # Again not required, but nice
cat <<EOF >top/usr/bin/ytplayer
#!/bin/sh

# MochiMoppel's youtube without ads
# https://forum.puppylinux.com/viewtopic.php?p=11388#p11388
# youtube ... right mouse to copy link location (to clipboard)
# and this script reads/plays that

BROWSER="/opt/google/chrome/chrome --no-sandbox"

YTURL=\$(xclip -o -sel clip) || YTURL=\$(xsel -b)
((\$?)) && exec Xdialog -msg "xclip or xsel not installed" x
case \$YTURL in
*youtube.com*v%3D*) VIDID=\${YTURL#*v%3D};;
  *youtube.com*v=*) VIDID=\${YTURL#*v=};;
  *youtu.be*      ) VIDID=\${YTURL#*.be/};;
  *               ) exec Xdialog -msg "Add a YouTube URL to clipboard first\n\nNot a recognized YouTube URL:\n\n\${YTURL::50}" x;;
esac
VIDID=\${VIDID::11}
exec \$BROWSER "https://www.youtube.com/embed/\$VIDID?autoplay=1"

EOF
chmod +x top/usr/bin/ytplayer
}

_locked_svg() {                             # Locked host-grab .svg icon for tray

        cat <<EOF >$HOST_GRAB_IMG
<svg height='32' width='32' viewBox='0 0 16 16'>
 <radialGradient id='rg' fx='50%' fy='50%' cx='50%' cy='50%' r='50%'>
   <stop offset='60%'   stop-color='white' stop-opacity='1'/>
   <stop offset='100%' stop-color='#00A5FF' stop-opacity='1' />
 </radialGradient>
<rect width='14' height='13' x='1' y='1' rx='2' ry='3' fill='url(#rg)'/>
<g font-size='11' font-style='normal' font-variant='normal' font-weight='bold'
font-stretch='normal' text-align='center' line-height='125%' letter-spacing='0'
word-spacing='0' text-anchor='middle' fill='darkblue' fill-opacity='1'
stroke='none' font-family='sans' dominant-baseline='central'>
<text x='50%' dy='12'>L</text>
</g>
</svg>
EOF
}

_unlocked_svg() {                                   # Unlocked .svg icon for tray

        cat <<EOF >$HOST_GRAB_IMG
<svg height='32' width='32' viewBox='0 0 16 16'>
 <radialGradient id='rg' fx='50%' fy='50%' cx='50%' cy='50%' r='50%'>
   <stop offset='60%' stop-color='#04FA17' stop-opacity='1'/>
   <stop offset='100%' stop-color='white' stop-opacity='1' />
 </radialGradient>
<rect width='14' height='13' x='1' y='1' rx='2' ry='3' fill='url(#rg)'/>
<g font-size='11' font-style='normal' font-variant='normal' font-weight='bold'
font-stretch='normal' text-align='center' line-height='125%' letter-spacing='0'
word-spacing='0' text-anchor='middle' fill='black' fill-opacity='1'
stroke='none' font-family='sans' dominant-baseline='central'>
<text x='51%' dy='12'>U</text>
</g>
</svg>
EOF
}

_tempsvg() {                                               # cpu temperature .svg

        cat <<EOF >/tmp/.temperature.svg
<svg height='32' width='32' viewBox='0 0 16 16'>
 <radialGradient id='rg' fx='50%' fy='50%' cx='50%' cy='50%' r='50%'>
   <stop offset='80%' stop-color='white' stop-opacity='1'/>
   <stop offset='100%' stop-color='$2' stop-opacity='1' />
 </radialGradient>
<rect width='14' height='13' x='1' y='1' rx='2' ry='3' fill='url(#rg)'/>
<g font-size='8' font-style='normal' font-variant='normal' font-weight='bold'
font-stretch='normal' text-align='center' line-height='125%' letter-spacing='0'
word-spacing='0' text-anchor='middle' fill='$3' fill-opacity='1' stroke='none'
font-family='sans' dominant-baseline='central'>
<text x='52%' dy='11'>$1</text>
</g>
</svg>
EOF
}

_error_exit() {

        Xdialog --title "Error" --infobox "$1" 0 0 5000
        exit 1
}

###
_find_func() {      # find function for Locate where to read cpu temperature from
        FILES="$1"
        for n in `echo $FILES`; do
            read p < $n
            if [ $? = 0 ];then
                FILE=$n                                                # found it
                break
            else
                continue                              # didn't find, search again
            fi
        done
                                  # if we get here we didn't find anything useful
}
                                    # Scan for where to read cpu temperature from
for a in `find /sys/devices/platform -type f -name 'temp*_input'|sort` \
         `find /sys/devices/pci* -type f -name 'temp*_input'|sort` \
         `find /sys/devices/virtual -type f -name 'temp'|sort`
do _find_func "$a"
        [ -z "$FILE" ] && continue || break              # if we found data break
done
CPU_TEMP=$FILE
###

_temperature() {                   # Container (DISPLAY=:2) temperature tray icon

        if [ -f $CPU_TEMP ]; then
            last=55
            _tempsvg 55 cyan black
            sit /tmp/.temperature.svg "cpu temperature" &
            PIDsittemp=$!
            while :; do
                x=$(cat $CPU_TEMP)
                x=$((x/1000))
                if [ $x -gt 1 ]; then
                    if [ $x -ne $last ];then
                        last=$x
                        [[ $x -ge $REDTHRESHOLD ]] && colour=red || colour=cyan
                        [[ $colour = "red" ]] && textcol=red || textcol=black
                        _tempsvg $x $colour $textcol
                    fi
                fi
                sleep 10
            done
        else
            Xdialog --msgbox "cpu temperature not found" 0 0
        fi
}

_startclip() {  # Clipboard manager to enable copy/paste between main & container

        cat <<EOF >/tmp/.clip
#!/bin/sh

b=\$(Xdialog --title "Container Clipboard" --radiolist "After using shift-drag \
to select text
run this dialog and select where to send that clip
Then use Middle Mouse to Paste the clip" 20 80 0 TO "send main session clip to \
containers clip" on FROM "send containers clip to main sessions clip" off 2>&1)

if [ "\$b" = "TO" ]; then
    xclip -o | DISPLAY=:2 xclip -i
else
    DISPLAY=:2 xclip -o | xclip -i
fi
EOF
        chmod +x /tmp/.clip
        sit /usr/share/pixmaps/themes/puppy48/clipboard48.png \
'Container clipboard Manager' /tmp/.clip &
        PIDsit=$!
}

_check_environment() {    # NOTE THAT DEFAULT FATDOG NEEDS OTHER THINGS INSTALLED
                          #  FROM GSLAPT (REPO) FOR THIS SCRIPT TO WORK CORRECTLY
        fail=0
        printf "Checking required programs are available\n\n"
        for C in xclip xdotool wmctrl; do
           [[ -z $(command -v "$C") ]] && echo $C no && fail=1 || echo $C yes
        done
        printf "\n"
        if [ $fail -ne 0 ]; then
            Xdialog --title Error --msgbox "$REQUIRES" 0 0
            printf "\nunable to continue, exiting\n"
            _error_exit "One or more required files are missing"
        fi
        [[ "$MAIN_SFS" != "/aufs/pup_ro" ]] && [[ ! -f $MAIN_SFS ]] && \
                                   _error_exit "Main sfs\n${MAIN_SFS}\nnot found"
}

_prepfolders() {

        [[ ! -d $SHARED ]] && mkdir $SHARED
        [[ ! -d $CONTAINER_LOC ]] && mkdir $CONTAINER_LOC
        cd $CONTAINER_LOC
        if [ -d top -o -d sfs ]; then
            umount -f top sfs;rmdir top sfs
        fi
        mkdir top sfs
        [[ ! -d $CHANGES ]] && mkdir $CHANGES
        [[ $USE_RAM -eq 1 ]] && \
          [[ $(mount | grep 'tmpfs on $CHANGES type tmpfs' | wc -l) -eq 0 ]] && \
                                                    mount -t tmpfs tmpfs $CHANGES
        if [ "$MAIN_SFS" != "/aufs/pup_ro" ]; then
            mount -r -t squashfs $MAIN_SFS sfs
            [[ $? -ne 0 ]] && _error_exit "Failed to mount sfs
maybe the container is already running?"
            mount -t aufs -o br=$CHANGES:sfs none top
        else
            mount -t aufs -o br=$CHANGES:/aufs/pup_ro none top
        fi
        [[ $? -ne 0 ]] && _error_exit "aufs layering mount failed"
        if [ $(ps -ef | grep 'Xephyr :2' | wc -l) -ne 2 ];then
            Xephyr :2 $XEPHYR &
            XEPHYR_PID=$!
        else
            _error_exit "Start Xephyr on :2 failed"
        fi
        
        _screenrecorder
        _ytplayer
}

_fix_environment() {              # re-configure/fix the container to work better

        cp /var/lib/dbus/machine-id top/var/lib/dbus/machine-id
        cp /etc/resolv.conf top/etc/resolv.conf
        ln -s top/var/lib/dbus/machine-id top/etc/machine-id
        printf "#!/bin/sh\n\n"                                          >top/init
        printf "rm /root/.Xresources \n"                               >>top/init
        printf "ln -s /root/.Xdefaults /root/.Xresources\n"            >>top/init
        printf "Xdialog --no-buttons --title \"Please Wait\" \
--infobox \"Initialising Container ... Please wait\" 0 0 2000 &\n"     >>top/init
        printf "export PATH=$PATH:/usr/local/bin\n"                    >>top/init
        printf "touch /root/shared/.flag\n"                            >>top/init
        modprobe battery
        if [ -d /proc/acpi/battery ]; then
	        results="`find /proc/acpi/battery -mindepth 1 -type d`"
	        if [ ! -z "$results" ]; then # it's a laptop
                printf "vattery &\n"                                   >>top/init
	        else
		        rmmod battery
	        fi
        fi
                      # Best not to include container script within the container
        printf "rm $0\n"                                               >>top/init
                                                                       # and init
        printf "rm /init\n"                                            >>top/init

        printf "jwm\n"                                                 >>top/init

        chmod +x top/init
        
        rm top/usr/local/bin/defaultbrowser
        printf "#!/bin/sh\n"                   > top/usr/local/bin/defaultbrowser
        printf "Xdialog --no-buttons --infobox \
\"chrome loading\" 0 0 3000 &\n"              >> top/usr/local/bin/defaultbrowser
        printf "/opt/google/chrome/chrome --no-sandbox \"\$@\"" \
                                              >> top/usr/local/bin/defaultbrowser
        chmod +x top/usr/local/bin/defaultbrowser

        #           Extract out of this file the .jwmrc/urxvt config, rox ...etc.
        #   Uses sed to do that, where we have to delimit the search term here so
        #                    that this code isn't 'seen as the start of text' tag
        SCRIPT=$SCRIPTPATH/`basename $0`
        sed -n '/<!-- \jwm-start -->/{:a;n;/<!-- \jwm-end -->/b;p;ba}' \
                                                         $SCRIPT >top/root/.jwmrc
        sed -n '/<!-- ur\xvt-start -->/{:a;n;/<!-- ur\xvt-end -->/b;p;ba}' \
                                          $SCRIPT >top/etc/X11/app-defaults/URxvt

        sed -n '/<!-- Xdefaults\S -->/{:a;n;/<!-- Xdefaults\E -->/b;p;ba}' \
                                                     $SCRIPT >top/root/.Xdefaults
        
        sed -n '/<!-- l\ockstateS -->/{:a;n;/<!-- l\ockstateE -->/b;p;ba}' \
                 $SCRIPT >top/root/.config/lockstate.conf
                 
        sed -n '/<!-- t\oprcS -->/{:a;n;/<!-- t\oprcE -->/b;p;ba}' \
                 $SCRIPT >top/root/.toprc         
                 
                                          # Set xvkbd to use UK as default layout
        printf "#include \"XVkbd-uk\"/n" >>top/etc/X11/app-defaults/XVkbd

        sync
}

_hostgrabstate() {       #                            We background this function
                         # hostgrab task in main system to report when the Xephyr
                         #   windows title (that is otherwise unseen due to being
                         #                                 full screened) changes
        sleep 1
        while [ -z "$WID" ]; do
            sleep 1                                 # time for container to start
            WID=$(wmctrl -lp | grep "Xephyr on :2" | cut -d ' ' -f 1)
        done
        xprop -id $WID -spy WM_NAME >/tmp/.host-grab  # Start 'spying' the Xephyr
                    # window title (we use inotifywait to pick up on the changes)
}

_hostgrabmon() {   # ctrl-shift locked/unlocked toggle indicator in Xephyr's tray

        [[ "$TRAYICON" = "ball" ]] && echo $BLUESVG>$HOST_GRAB_IMG || _locked_svg
        touch /tmp/.host-grab  # sit & inotifywait modify require pre-exist files
        _hostgrabstate &        # Start monitoring of Xephyr window title changes
        PIDhostgrab=$!
        while [ $ACTIVE -eq 1 ]; do
            {
                inotifywait -qe 'modify' /tmp/.host-grab || exit 1
            } >/dev/null 2>&1
            C=$(tail -1 /tmp/.host-grab | grep "grabs")
            if [ ! -z "${C}" ]; then     # if no 'release' Xephyr window in title
                [[ "$TRAYICON" = "ball" ]] && printf "%s\n" "$GREENSVG" \
                >$HOST_GRAB_IMG || _unlocked_svg # alternative to green ball icon
            else
                [[ "$TRAYICON" = "ball" ]] && printf "%s\n" "$BLUESVG" \
                >$HOST_GRAB_IMG || _locked_svg    # alternative to blue ball icon
            fi
        done
}

_trayicons() {

        DISPLAY=:2 sit $HOST_GRAB_IMG "${HOST_GRAB_TIP}" "${CLICK}" &
        DISPLAY=:2 lockstate &            #             caps lock state tray icon
        PIDlockstate=$!
        _startclip                        #     Start container clipboard manager
        DISPLAY=:2 _temperature &         #  Containers tray cpu temperature icon
        PIDtemp=$!
}


## MAIN ##

ACTIVE=1;_check_environment;_prepfolders;_fix_environment               # Prepare
#DISPLAY=:2 taskset -c 0 empty -f unshare -m pflask $PFLASK -- /init     # 1 core
DISPLAY=:2 empty -f unshare -m pflask $PFLASK -- /init           # The big chroot
CONTAINER_PID=$!
while [ ! -f $SHARED/.flag ]; do                   #   Wait until container ready
    sleep 1
done
rm $SHARED/.flag
_hostgrabmon &                                     #  Prepare hostgrab monitoring
PIDhostgrabicon=$!
xdotool keydown ctrl key shift keyup ctrl          # Toggle container to 'locked'
_trayicons                                         #               Add tray icons
iptables -A INPUT -s $ROUTER_IP -j DROP            #     Drop router admin access
wait $CONTAINER_PID                                #    Wait for container to end
umount top sfs >/dev/null 2>&1                     #                 HOUSEKEEPING
rmdir top sfs >/dev/null 2>&1
rm -rf $CONTAINER_LOC;umount $CHANGES
ACTIVE=0                                           #      To trigger and kill off
echo >>/tmp/.host-grab                             #     backgrounded inotifywait
sleep 1
kill $PIDtemp $PIDlockstate $PIDhostgrabicon $PIDhostgrab $PIDsit $PIDminimize \
 >/dev/null 2>&1
rm /tmp/.clip /tmp/.container-img.svg /tmp/.host-grab /tmp/.temperature.svg \
 >/dev/null 2>&1

#################################################################################

exit 0

#################################################################################

#  From below the exit 0 above nothing will be interpreted (bash just ignores it)
# So we're storing some of our config files here that we use, and that we extract
#     out and into where they're required as part of the scripts processing/tasks
#    For each such file there's a start and end 'token' that is searched for/used
#  as part of that sed based extraction. For instance .jwmrc ... etc.

#################################################################################

<!-- urxvt-start -->
!warning, needs about 500 bytes per line for scrollback buffer...
URxvt.saveLines: 1000
URxvt.font: xft:mono:pixelsize=24:autohint=true
URxvt.boldFont: xft:mono:bold:pixelsize=24:autohint=true
URxvt.italicFont: xft:mono:italic:pixelsize=24:autohint=true
URxvt.letterSpace: -1
! URxvt.background: "gray"
URxvt*scrollBar_right: true
URxvt*background: black
URxvt*foreground: white
URxvt*visualBell: true
! These next two disable ctrl shift Xephyr and urxvt conflict
URxvt.iso14755: false
URxvt.iso14755_52: false

<!-- urxvt-end -->

#################################################################################

<!-- lockstateS -->
CapsLock=true
NumLock=false
ScrollLock=false
ReversedOrder=false
Fg_Active=#ff0000
Fg_Inactive=#ff0000
Bg_Active_Beg=#f0f0f0
Bg_Active_End=#ffffff
Bg_Inactive_Beg=#888888
Bg_Inactive_End=#ffffff
CapsLock_Active=A
CapsLock_Inactive=a
NumLock_Active=1
NumLock_Inactive=0
ScrollLock_Active=↓
ScrollLock_Inactive=⇣

<!-- lockstateE -->

#################################################################################

<!-- toprcS -->
top's Config File (Linux processes with windows)
Id:i, Mode_altscr=0, Mode_irixps=1, Delay_time=1.500, Curwin=0
Def	fieldscur=¥&K¨³´»½@·º¹56ÄFÅ')*+,-./0128<>?ABCGHIJLMNOPQRSTUVWXYZ[\]^_`abcdefghij
	winflags=162102, sortindx=18, maxtasks=0, graph_cpus=1, graph_mems=2
	summclr=2, msgsclr=1, headclr=7, taskclr=7
Job	fieldscur=¥¦¹·º(³´Ä»½@<§Å)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
	winflags=163124, sortindx=0, maxtasks=0, graph_cpus=2, graph_mems=0
	summclr=6, msgsclr=6, headclr=7, taskclr=6
Mem	fieldscur=¥º»<½¾¿ÀÁMBNÃD34·Å&'()*+,-./0125689FGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghij
	winflags=163124, sortindx=21, maxtasks=0, graph_cpus=2, graph_mems=0
	summclr=5, msgsclr=5, headclr=4, taskclr=5
Usr	fieldscur=¥¦§¨ª°¹·ºÄÅ)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
	winflags=163124, sortindx=3, maxtasks=0, graph_cpus=2, graph_mems=0
	summclr=3, msgsclr=3, headclr=2, taskclr=3
Fixed_widest=0, Summ_mscale=2, Task_mscale=1, Zero_suppress=0

Def	fieldscur=¥&K¨³´»½@·º¹56ÄFÅ')*+,-./0128<>?ABCGHIJLMNOPQRSTUVWXYZ[\]^_`abcdefghij
	winflags=162102, sortindx=18, maxtasks=0, graph_cpus=1, graph_mems=2
	summclr=2, msgsclr=6, headclr=7, taskclr=7
Job	fieldscur=¥¦¹·º(³´Ä»½@<§Å)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
	winflags=163124, sortindx=0, maxtasks=0, graph_cpus=2, graph_mems=0
	summclr=6, msgsclr=6, headclr=7, taskclr=6
Mem	fieldscur=¥º»<½¾¿ÀÁMBNÃD34·Å&'()*+,-./0125689FGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghij
	winflags=163124, sortindx=21, maxtasks=0, graph_cpus=2, graph_mems=0
	summclr=5, msgsclr=5, headclr=4, taskclr=5
Usr	fieldscur=¥¦§¨ª°¹·ºÄÅ)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
	winflags=163124, sortindx=3, maxtasks=0, graph_cpus=2, graph_mems=0
	summclr=3, msgsclr=3, headclr=2, taskclr=3
Fixed_widest=0, Summ_mscale=2, Task_mscale=1, Zero_suppress=0

<!-- toprcE -->

#################################################################################

.Xdefaults ... in particular we want xvkbd to use a larger default size and font

<!-- XdefaultsS -->
XTerm*VT100.Translations:               #override \
      Shift Ctrl<Key>V:                 insert-selection(CLIPBOARD) \n\
      Shift Ctrl<Key>V:                 insert-selection(PRIMARY) \n\
      Shift<Btn1Down>:                  select-start() \n\
      Shift<Btn1Motion>:                select-extend() \n\
      Shift<Btn1Up>:                    select-end(C) \n\
! so drag highlight copies to clipboard
XTerm*selectToClipboard:                true
XClipboard.form.text.textSink.font:     -b&h-lucida-medium-r-*-*-24-*-*-*-*-*-iso8859-14

! stop output to terminal from jumping down to bottom of scroll again
xterm*scrollTtyOutput: false

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! Blink instead of beeping
*visualBell:                            false

! To reload ...
! xrdb ~/.Xdefaults

!OpenBSD running an X Windows session has hinting and sub-pixel rendering
!available by default as the patent issues have been resolved. I have
! added extra symlinks in my /etc/fonts/conf.d directory as follows...

!foo$ ls -l /etc/fonts/conf.d | cut -c 45-
!10-autohint.conf -> /etc/fonts/conf.avail/10-autohint.conf
!10-sub-pixel-rgb.conf -> /etc/fonts/conf.avail/10-sub-pixel-rgb.conf
!11-lcdfilter-default.conf -> /etc/fonts/conf.avail/11-lcdfilter-default.conf

Xft.dpi:                                144
Xft.autohint:                           0
Xft.antialias:                          true
Xft.hinting:                            true
Xft.hintstyle:                          hintnone
Xft.rgba:                               rgb
Xft.lcdfilter:                          lcdedefault

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

xvkbd.windowGeometry: 900x300
xvkbd*Font: 10x20

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

XLoad*showLabel:                        false
XLoad*geometry:                         80x80+0+81
XLoad*borderWidth:                      0

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

*font:                                  -b&h-lucida-medium-r-*-*-24-*-*-*-*-*-iso8859-14
*foreground:                            white
*background:                            black
*SimpleMenu*font:                       -b&h-lucida-medium-r-*-*-24-*-*-*-*-*-iso8859-14

<!-- XdefaultsE -->

#################################################################################

<!-- jwm-start -->
<?xml version="1.0"?><JWM>

    <!-- Note this jwmrc was generated within container.sh
         Xephyr container launch script -->

    <StartupCommand>
       <!-- set the desktop wallpaper -->
       /usr/bin/feh --bg-scale /usr/share/backgrounds/wallpaper.jpg
    </StartupCommand>

    <!-- I set key binding of alt spacebar (below) to show root:4 ... this menu -->
    <RootMenu label="BookMarks" labeled="false" height="26" onroot="4">
        <Program label="PuppyLinux">/opt/google/chrome/chrome --no-sandbox -d https://forum.puppylinux.com</Program>
        <Program label="Yahoo">/opt/google/chrome/chrome --no-sandbox -d https://uk.finance.yahoo.com</Program>
        <Program label="News">/opt/google/chrome/chrome --no-sandbox -d https://news.bbc.co.uk</Program>
        <Program label="Draughts">/opt/google/chrome/chrome --no-sandbox -d https://draughts.github.io</Program> 
    </RootMenu>
    
    <RootMenu label="Menu" labeled="false" height="26" onroot="3">
        <Program icon="folder.png" label="rox">rox</Program>
        <Program icon="galculator.png" label="galculator">galculator</Program>
        <Program icon="video-display.png" label="urxvt">urxvt</Program>
        <Program icon="mtpaint.png" label="mtpaint">mtpaint</Program>
        <Program icon="gimp.png" label="gimp">gimp</Program>
        <Program icon="viewnior.png" label="viewnior">viewnior</Program>
        <Program icon="/usr/share/pixmaps/guvcview/guvcview.png" label="guvcview">guvcview</Program>
        <Program icon="libreoffice-writer.png" label="libreoffice Writer">libreoffice --writer</Program>
        <Program icon="libreoffice-calc.png" label="libreoffice Calc">libreoffice --calc</Program>
        <Program icon="tigervnc.png" label="tigervnc viewer">vncviewer</Program>
        <Program icon="vlc.png" label="vlc">vlc</Program>
        <Program icon="mini-colors.xpm" label="tetris">gtktetris</Program>
        <Program icon="mini-keyboard.xpm" label="xvkbd">xvkbd -secure</Program>
        <!-- <Program icon="mini-keyboard.xpm" label="florence">florence</Program> -->
        <Program icon="mini-perf.xpm" label="Net Activity">xterm -e bmon -p wlan0</Program>
        <Program icon="htop.png" label="htop">xterm -e htop</Program>
        <Program icon="xterm16.xpm" label="screen recorder">xterm -e screenrecord</Program>
        <Program icon="multimedia48.png" label="ytplayer">ytplayer</Program>

        <Separator/>        

        <Program icon="process-stop.png" label="Exit">Xdialog --title 'Exit (or minimise) Container' --msgbox 'First use Ctrl-Shift to toggle the tray icon to green/unlocked

and then use  Ctrl-Alt-x (or Alt-F4) to exit/end the container session

OR

to leave it running and minimise the container session use Ctrl-Alt-d
' 0 0</Program>
    </RootMenu>

    <IconPath>/usr/share/pixmaps/midi-icons</IconPath>
    <IconPath>/usr/share/pixmaps/mini-icons</IconPath>
    <IconPath>/usr/share/pixmaps</IconPath>
    <IconPath>/usr/share/icons</IconPath>
    <IconPath>/usr/local/share/pixmaps</IconPath>
    <IconPath>/usr/share/icons/hicolor/48x48/apps</IconPath>
    <IconPath>/usr/share/icons/hicolor/24x24/apps</IconPath>
    <IconPath>/usr/share/icons/hicolor/scalable/apps</IconPath>
    <IconPath>/usr/share/pixmaps/pidgin/dialogs/scalable</IconPath>

    <WindowStyle>
        <Font>DejaVu Sans-11:bold</Font>
        <Width>5</Width>
        <Height>26</Height>
        <Foreground>#b2b2b2</Foreground>
        <Background>#3C3636:#5E5151</Background>
        <!--
        <Corner>4</Corner>
        <Outline>black</Outline>
        -->
        <Active>
            <Foreground>white</Foreground>
            <Background>#180356:#1304F4</Background>
            <Outline>black</Outline>
        </Active>
    </WindowStyle>

    <TaskListStyle>
        <Font>DejaVu Sans-11</Font>
        <Foreground>#929292</Foreground>
        <Background>#04061B</Background>
        <Active>
            <Foreground>white</Foreground>
            <Background>#3C3636:#5E5151</Background>
        </Active>
    </TaskListStyle>

    <TrayStyle>
        <Font>DejaVu Sans-12:bold</Font>
        <Foreground>white</Foreground>
        <Background>#04061B</Background>
    </TrayStyle>

    <PagerStyle>
        <Outline>black</Outline>
        <Foreground>#8899AA</Foreground>
        <Background>#3A4956</Background>
        <Active>
            <Foreground>#DCDAD5</Foreground>
            <Background>#888888</Background>
        </Active>
    </PagerStyle>

    <PopupStyle>
        <Font>DejaVu Sans-12</Font>
        <Outline>black</Outline>
        <Foreground>black</Foreground>
        <Background>#EEEEEE</Background>
    </PopupStyle>

    <MenuStyle>
        <Font>DejaVu Sans-11:bold</Font>
        <Foreground>white</Foreground>
        <Background>black</Background>
        <!--
        <Active>
            <Foreground>black</Foreground>
            <Background>#B6B6B6:#DBDBDB</Background>
        </Active>
        -->
    </MenuStyle>
    
    <ClockStyle>
        <Font>DejaVu Sans-10:bold</Font>
        <Foreground>white</Foreground>
        <Background>#04061B</Background>
    </ClockStyle>

    <Desktops count="2" width="2" height="1">
        <Background type="solid">#000011</Background>
        <!-- <Background type="image">/root/wp.jpg</Background> -->
    </Desktops>

    <Group>
        <Name>Xdialog</Name>
        <Option>notitle</Option>
        <Option>nolist</Option>
    </Group>

    <Group>
        <Name>xmessage</Name>
        <Option>notitle</Option>
        <Option>nolist</Option>
    </Group>

    <Group>
        <Class>gtkdialog-splash</Class>
        <Option>nolist</Option>
        <Option>nofocus</Option>
    </Group>
    
    <!-- urxvt terminal windows do not fully maximize, this iignore fixes that -->
    <Group>
        <Class>URxvt</Class>
        <Option>iignore</Option>
    </Group>

    <!-- misc. parameters -->
    <DoubleClickSpeed>400</DoubleClickSpeed>
    <DoubleClickDelta>3</DoubleClickDelta>
    <FocusModel>click</FocusModel>
    <SnapMode distance="10">none</SnapMode>
    <MoveMode>opaque</MoveMode>
    <ResizeMode>opaque</ResizeMode>

    <!-- key bindings (set to similar to cwm) -->
    <Key key="Up">up</Key>
    <Key key="Down">down</Key>
    <Key key="Right">right</Key>
    <Key key="Left">left</Key>
    <Key key="h">left</Key>
    <Key key="j">down</Key>
    <Key key="k">up</Key>
    <Key key="l">right</Key>
    <Key key="Return">select</Key>
    <Key key="Escape">escape</Key>

    <Key mask="CAS" key="q">exit</Key>
    <Key mask="CAS" key="r">restart</Key>
    <Key mask="A"   key="#">desktop#</Key>

    <Key mask="C"   key="space">root:3</Key> <!-- Ctrl-space main jwm menu        -->
    <Key mask="A"   key="space">root:4</Key> <!-- ALT-space URL bookmarks         -->
    <Key mask="4"   key="space">window</Key> <!-- WIN-Space Window title bar menu -->

    <Key mask="C"   key="Down">exec:amixer -c 1 set Master 2%-</Key>
    <Key mask="C"   key="Up">exec:amixer set -c 1 Master 2%+</Key>

    <Key mask="4"   key="Tab">next</Key>
    <Key mask="4"   key="Return">exec:urxvt</Key>
    <Key mask="4"   key="Up">maximize</Key>
    <Key mask="4"   key="x">close</Key>
    <Key mask="4"   key="f">fullscreen</Key>
    <Key mask="4"   key="Down">minimize</Key>

    <!-- additional stuff -->
    <!-- <Include>$HOME/.jwmrc-tray</Include> -->

    <Tray  autohide="off" insert="right" x="0" y="-1" border="1" height="34" >
    
        <Clock format="%H:%M %a %d %b">
            <Button mask="1">root:3</Button>
            <Button mask="3">showdesktop</Button>
        </Clock>    

        <!-- Additional TrayButton attribute: label -->
  <!--      <TrayButton label="" icon="/usr/share/icons/fatdog32.png">root:3</TrayButton> -->
        <TrayButton popup="browse" icon="/usr/local/lib/X11/pixmaps/www48.png">
           exec:/opt/google/chrome/chrome --no-sandbox --test-type
        </TrayButton>
        <TrayButton popup="xterm" icon="/usr/share/pixmaps/video-display.png">
           exec:urxvt
        </TrayButton>
        <TrayButton popup="rox" icon="folder.png">exec:rox</TrayButton>
        <TrayButton popup="geany" icon="geany.png">
           exec:geany /root/shared/clip.txt
        </TrayButton>
        <TrayButton popup="galculator" icon="galculator.png">
           exec:galculator
        </TrayButton>
        <TrayButton popup="alsamixer" icon="/usr/share/pixmaps/themes/puppy16/audio-volume-high.png">
           exec:urxvt -e alsamixer
        </TrayButton>
<!--        <TrayButton popup="Show Desktop" icon="mini-desktop.xpm">
           showdesktop
        </TrayButton>
-->
        <!-- Additional Pager attributes; width, height -->
        <Pager/>

        <!-- Additional TaskList attribute: maxwidth -->
        <TaskList maxwidth="2000"/>

        <Dock/>

        <Swallow name="xload" width="32">
            xload -nolabel -bg "#04061B" -fg "#ff0000" -hl yellow -update 1
        </Swallow>
    </Tray>

</JWM>

<!-- jwm-end -->

#################################################################################
Neo_78
Posts: 407
Joined: Wed Dec 29, 2021 10:45 pm
Has thanked: 232 times
Been thanked: 11 times

Re: Running Browser in a Container with LXC

Post by Neo_78 »

That looks like a sophisticated setup @rufwoof. What's the "Net Activity" tool in the menu? I think I will keep my configuration simple and gradually build up the script as I get everything working.

The container basically works before I remaster (black background but bottom menu is displayed). When I remaster, burn to DVD and boot from that DVD, I can execute the script. However, the Xephyr screen remains completely black. There is basically no menu in the bottom. So I am not sure what's wrong or what I have messed up. Maybe I accidentally removed a required FatDog package? The terminal window does not give any relevant error messages... :?

Also, the iptable drop rule does not seem to work on the remastered DVD when eztables is enabled and running as the router IP is still reachable. So I guess that that rule has to be configured inside eztables?

Until I have figured out the correct key bindings for default FatDog, is there a way to delete all running Xephyr / pflask sessions from the terminal with a simple command?

Thanks for your guidance.

user1111

Re: Running Browser in a Container with LXC

Post by user1111 »

Neo_78 wrote: Thu Mar 24, 2022 2:03 am

That looks like a sophisticated setup @rufwoof. What's the "Net Activity" tool in the menu? I think I will keep my configuration simple and gradually build up the script as I get everything working.

The container basically works before I remaster (black background but bottom menu is displayed). When I remaster, burn to DVD and boot from that DVD, I can execute the script. However, the Xephyr screen remains completely black. There is basically no menu in the bottom. So I am not sure what's wrong or what I have messed up. Maybe I accidentally removed a required FatDog package? The terminal window does not give any relevant error messages... :?

Also, the iptable drop rule does not seem to work on the remastered DVD when eztables is enabled and running as the router IP is still reachable. So I guess that that rule has to be configured inside eztables?

Until I have figured out the correct key bindings for default FatDog, is there a way to delete all running Xephyr / pflask sessions from the terminal with a simple command?

Thanks for your guidance.

Net activity is bmon -p wlan0 in my case (-p eth0 if hard wired)

I have that and mc (file manager), htop (processes), alsamixer (volume) alsamixer -D equal (equaliser), and chrome all start full-screen at startup, so WIN+tab in my current case (usually ALT+tab) to step between them. WIN+f to toggle fullscreen that shows the jwm tray. WIN+space for Main menu, ALT+space for bookmarks menu.

dt.gif
dt.gif (277.01 KiB) Viewed 1927 times

In control panel, system, manage services I don't have eztables activated.

killall Xephyr ... might do the trick.

Neo_78
Posts: 407
Joined: Wed Dec 29, 2021 10:45 pm
Has thanked: 232 times
Been thanked: 11 times

Re: Running Browser in a Container with LXC

Post by Neo_78 »

Thanks @rufwoof.

I found the problem with the black screen in the container. If you stop eztables (default configuration), the bottom menu is visible (before remastering FatDog). Which means the firewall seems to block the screen.

Do you know which firewall / port rules are required for Xephyr that also allow you to have Internet access from inside the container?

Or could you share your iptables configuration (maybe that's easier...)?

Once I remaster and boot from the DVD, however, I run into the next problem when trying to start the container:

Code: Select all

umount: sfs1: not mounted
Ln: failed to create symbolic link 'top1/etc/machine-id': File exists

Your advice is much appreciate.

user1111

Re: Running Browser in a Container with LXC

Post by user1111 »

I don't have eztables active (in Fatdog Control Panel Manage Services). Our router has a firewall in which I set only desired in-bound ports through such as ssh (22) and Fatdog isn't listening to any ports. For sshd for instance I run OpenBSD in a qemu/kvm with kern.securelevel=2 and where the userid is dropped from group wheel (in /etc/group) so it can't su, doas (sudo). I set that qemu to run where port 22 in Fatdog is forwarded to the OpenBSD session, so when 22 is open in the router any ssh connection traffic flows into the OpenBSD session. Would be similar/same for http but I don't tend to run a http server session.

So my only iptables setting is that blocking of access to the router - that from within the container (that I use as my daily desktop for browsing ...etc.) cannot be changed, but can be from the main session. When I do drop that rule in order to access the router admin I ensure that OpenBSD and container are shut down.

Basically I setup Fatdog to use multi-session save style to HDD save multi...sfs files, where that's set to only save on demand (in eventmanager)
Somewhere on HDD I extract fd64.sfs using unsquashfs and any time I have rebooted, made changes (such as installing qemu from gslapt) and run a save I extract those multi... files into the squashfs-root folder
unsquashfs -f -d squashfs-root multi.... base.sfs (and then multi...save.sfs)
remove those multi.. files and reform the fd64.sfs
mksquashfs squashfs-root/ fd64.sfs -comp lz4

... which then becomes my main fd64.sfs (remastered).

For OpenBSD on HDD (outside of Fatdog space) I create

qemu-img create -f qcow2 disk.qcow2 32G

which dynamically grows space as required. Download the OpenBSD iso from somwhere like https://www.mirrorservice.org/pub/OpenB ... 4/cd70.iso (7.0 is the most recent version). Boot and install that (mostly just pressing enter, but set up a regular userid/password when prompted, don't bother with xenodm/X, set sshd on (I think that is the default anyway). To start the install its ...

qemu-system-x86_64 -m 64 \
-cdrom cd70.iso \
-drive if=virtio,file=disk.qcow2,format=qcow2 \
-enable-kvm \
-netdev user,id=mynet0,hostfwd=tcp:127.0.0.1:22-:22 \
-device virtio-net,netdev=mynet0 \
-smp 2

and thereafter I boot that using ...

qemu-system-x86_64 -m 64 \
-drive if=virtio,file=disk.qcow2,format=qcow2 \
-enable-kvm \
-netdev user,id=mynet0,hostfwd=tcp:127.0.0.1:22-:22 \
-device virtio-net,netdev=mynet0

As root within that OpenBSD session edit (create) etc/rc.securelevel to include
sysctl kern.securelevel=2
to set it to the most secure security level
and drop the user created such as obsd username from the wheel group in /etc/group (usually in the first line of that file is wheel, and remove the ,obsd ... part at the end of that line).

With that qemu of openbsd running the fatdog (or my container etc.) can ssh into that
ssh obsd@localhost
or if you know the external IP and have port 22 forwarded in the router you can ssh into it from anywhere (ssh obsd@<ip address>
Or any of the other ssh type commands such as scp (copy) ..etc.

So basically the main fatdog is just sys admin, I use the container as my regular desktop for browsing/word processing ..etc, and I use just the base OpenBSD set to a high security level for any servers such as sshd, httpd ...etc. OpenBSD uses pf for its firewall and the default settings are good enough as-is.

Backing up the OpenBSD is as simple as copying the single file (disk.qcow2), so for instance if you'd rather no changes be preserved between sessions then just copy that before starting qemu, and delete/replace that with the copied version after shutdown (or prior to starting the next session).

If I receive a big file/download into the OpenBSD session then I can move that to the main Fatdog session and hence HDD via another scp initiated from within the main fatdog session to pull that file out of the OpenBSD session using scp. No need to have sshd (server) also running in fatdog. scp obsd@localhost:/home/obsd/somefile /mnt/sda2/somefolder/somefile

i.png
i.png (223.67 KiB) Viewed 1892 times
user1111

Re: Running Browser in a Container with LXC

Post by user1111 »

rufwoof wrote: Sun Mar 27, 2022 11:02 am

Backing up the OpenBSD is as simple as copying the single file (disk.qcow2), so for instance if you'd rather no changes be preserved between sessions then just copy that before starting qemu, and delete/replace that with the copied version after shutdown (or prior to starting the next session).

Rather than copying the qemu file, its quicker to use qemu snapshots.

Let's say you also want a web server so as root inside OpenBSD you edit /etc/httpd.conf to contain ...

server "default" {
listen on * port 80
}
types {
include "/usr/share/misc/mime.types"
}

then run
httpd -n
which should report back "configuration ok"

create /var/www/htdocs/index.html with some html content
<html><body>Hi</body></html>

then activate and start httpd

rcctl enable httpd
rcctl start httpd

Once you've run that and configured things as you like you can shutdown (shutdown -p now) and then keep that as the 'clean' version and run against snapshots

Extending the qemu bootup to also include port 80 forwarding (http) as well as port 22 (ssh), you can either boot using

qemu-system-x86_64 -m 64 \
-drive if=virtio,file=disk.qcow2,format=qcow2 \
-enable-kvm \
-netdev user,id=mynet0,hostfwd=tcp:127.0.0.1:22-:22,hostfwd=tcp:127.0.0.1:80-:80 \
-device virtio-net,netdev=mynet0

in which case all changes will be preserved

OR

create a snapshot

qemu-img create -f qcow2 -b disk.qcow2 snapshot.qcow2

and boot that image instead, that uses a Puppy like read only bottom layer and all changes stored in the snapshot approach. Boot that snapshot image using ...

qemu-system-x86_64 -m 64 \
-drive if=virtio,file=snapshot.qcow2,format=qcow2 \
-enable-kvm \
-netdev user,id=mynet0,hostfwd=tcp:127.0.0.1:22-:22,hostfwd=tcp:127.0.0.1:80-:80 \
-device virtio-net,netdev=mynet0

and afterwards you can throw that snapshot file away and create another snapshot image to boot the next time, so it starts off 'clean' again.

Again if you open up port 80 in your router then external http requests are routed through to the OpenBSD session.

To identify your external IP address I use

#!/bin/sh
curl -s http://whatismyip.akamai.com/ >myipis

That is all old style http rather than https which is more involved, but for a basic ssh and http setup where you can connect using a browser url of http://localhost and/or ssh ... where those servers are running in a qemu isolated/separate server system running OpenBSD (which is renowned for being secure).

Fatdog as the core admin and file storage
OpenBSD for servers (ssh, http, whatever)
Container for general desktop/browsing

Neo_78
Posts: 407
Joined: Wed Dec 29, 2021 10:45 pm
Has thanked: 232 times
Been thanked: 11 times

Re: Running Browser in a Container with LXC

Post by Neo_78 »

Thanks for the follow up @rufwoof. That looks like a technically very advanced setup and probably exceeds my base requirement of just running my remastered FatDog DVD in a container that an attacker cannot escape. Let me see if I can replicate this step by step.

If I understand you correctly, you are using FatDog as the base system and run OpenBSD as a virtual machine in QEMU on top of that. Inside OpenBSD you are then executing your container script for web browsing sessions. Is that correct?

A hardware based firewall is probably the way to go. The problem is that many ISPs nowadays lock down their routers, which you cannot configure and even put in bridge mode. So the only thing you can do then is configure an additional router as a subnet with a firewall.

As @JakeSFR mentioned, Xephyr requires port 6001. So unblocking that port in eztables should do the trick to at least solve the black screen problem. Not sure if further firewall adjustments are required to get Internet working inside the container.

What I am still struggling with as a base step is to get your container script working inside my remastered, RAM booted FatDog image in the first place:

Code: Select all

umount: sfs1: not mounted
Ln: failed to create symbolic link 'top1/etc/machine-id': File exists

Any idea how this could be solved?

Is a remastered FatDog image system hardware specific and comes with a specific machine ID that causes problems when a remastered image is being used on different machines?

https://wiki.debian.org/MachineId

Thanks!

user1111

Re: Running Browser in a Container with LXC

Post by user1111 »

Neo_78 wrote: Wed Mar 23, 2022 1:42 am

I also noted the following warning when running the script:

Code: Select all

Warning: Unsupported high keycode 372 fro name <I372> ignored X11 cannot support keycodes above 255. This warning only shows for the first high keycode. 

Errors from xkbcomp are not fatal to the X server

X11 does not support keycodes above 255, a protocol limitation and can't be fixed, just ignore the warning.

Post Reply

Return to “FatDog64”