Thanks for the suggestions (only just seen your post).wiak wrote:I haven't tried EasyOS as yet but often used Xnest and Xephyr in the past and been doing a lot with overlayfs in VoidLinux of late to provide persistence and allow use of sfs files using chroot into separate overlays of main system. If you are running apps in some kind of chroot setup, an alternative to using Xnest or Xephyr is simply to do things the other way round to what I gather you've been doing i.e. start the app up in the chroot but make DISPLAY point back to the main session DISPLAY as outlined here:rufwoof wrote:Finding that running large LibreOffice spreadsheet or word documents across Xephyr is very laggy. i.e. DISPLAY=:1 swriter from the main session, so I can cut/paste from firefox running inside the (:1) container, has swriter as good as useless (very slow to scroll etc.).
Seems to be Xephyr alone causing that lag.
https://wiki.gentoo.org/wiki/Project:X8 ... the_chroot
In terms of security, I suggest using sshd server running in your container and then ssh -X (tunnel) into that from client on main desktop session (if that is possible?) - that should set DISPLAY automatically whilst providing secure X communications. Then I guess cut and paste and so on would work fine.
Whilst I don't know how EasyOS implements containers, I came across the following for Docker (EDIT: though I haven't myself ever used Docker so don't know the ins and outs of it):
https://stackoverflow.com/questions/478 ... containers
https://docs.docker.com/engine/examples ... h_service/
https://unix.stackexchange.com/question ... s-remotely
Alternatively, and even safer, use VNC over ssh.
http://nnc3.com/mags/Networking2/ssh/ch09_03.htm
https://help.ubuntu.com/community/VNC
wiak
The first method is indeed insecure. Running a rover (similar to spot) window on the main desktop (DISPLAY :0) from within the container ... opens up rover elevating to root outside of the container (main root) easily (just to be sure, I verified that as per the attached image). ssh tunneling or vnc over ssh would be more secure.
Fully opening up the main desktops /dev - for instance amongst other things opens up the frambuffer - and the framebuffer could be repeatedly cat (piped through compress and ssh to a crackers ssh server) i.e. 'console' seen/watched. Generally if root is cracked via other simpler means that's not a great issue (too much bandwidth/effort for a cracker to really be bothered with, as that's typically around 1K/frame/snapshot). More generally they'd be looking for private keys/passwords - easy access into other systems/boxes/devices (router etc), such as ~/.ssh private keys (that even if password protected, once copied to the crackers system are generally relatively easily/quickly cracked).
As its just Libre writer, for just some files, that can run slow in a Easy Container, I'm not too bothered myself as I can use googledocs for not fully trusted, or the main systems Libre writer when trusted. Everything else seems to run fine, so it may all just be a Easy 1.0 (that I'm running, haven't tracked the later releases) or the specific compiled Libre version contained within that. May have been indirectly (or directly) fixed in later versions or the upcoming Easy 2.0 series.