How to safely and easily run snap-based applications in Ubuntu under docker?

I understand somewhat that docker “sandboxes” the containers it runs, and so does snap and flatpak. And that these sandboxes don’t “stack”. You can’t easily run a sandbox within a sandbox.

One could give the docker container lots of rights (e.g. with docker run --cap-add=SYS_ADMIN ... (or worse, using --privileged), but no sysadmin wants to do that to run normal GUI applications like Firefox.

But since Ubuntu is moving more and more towards having snaps for everything, the supported way to run e.g. Firefox is to do it in a snap. I’ve found some posts from 2017 (1 and 2) and ogra1/snapd-docker: Create a docker container that is able to run snaps about this and they all run docker containers with --cap-add SYS_ADMIN which I’d rather not do.

So what is the best approach to running such GUI applications under Ubuntu in docker, now that apt install firefox expects to run a snap?

I thought that perhaps flatpak is better or different, but it seems to have very similar issues under docker.

Or does one have to go back to the 90’s?: wget a .tar.gz in Dockerfile, untar, setup LD_LIBRARY_PATH, etc? With a different procedure for each app, manually installing .so dependencies, different failure modes, etc.?

My personal itch is to run a couple of apps along with fluxbox, noVNC and TigerVNC so I get a HTTP interface to the tiniest desktop with the apps I care about, isolated from my desktop (or server?) environment.

For chrome, this is also an issue even without snap or flatpak, since it also runs processes in sandboxes. But that is another issue.

So can one stay with Ubuntu for this? Or is it better to use some other distro that isn’t being snap-ed or flatpak-ed? Which (preferably apt-based) distros are still using apt without a helping of snap or flatpack? Is debian likely to be (and remain) better in this respect?

Edited to add: This question is specifically about docker, since I’m already running many things in docker (and k8s). But a podman solution would be fine… And running e.g. TigerVNC with e.g. firefox outside of docker is trivial. So for this post, docker (or podman) is a given.

Read more here: Source link