Isolating applications on desktop - Docker, Vagrant as a Desktop (or QubesOS and other options) for for better desktop security [Notes/Draft]

README.md

The goal of these notes is to plant idea that there are few alternatives to "just running apps directly on your computer".

If you don't pick any of mentioned options, please consider as bare minimum, making separate user for some apps, or some contexts (e.g. "me-work-emails", "me-work-coding", "me-work-graphics-design", "me-work-instant-messanger",...). However above solutions one may find more seamless.

docker-as-a-desktop.md

Docker and Docker-Compose are DRY in spirit of "infrastructure as code" for Linux containers.

You specify your setup in Dockerfile (in case of composition of multiple dockers also docker-compose.yml ).

However! You can run all your apps in docker containers, therefore using docker as a desktop, minimizing their surface/access to absolute minimum required for them to run!

therefore

• reducing attack surface
• keeping your system cleaner (if apps require dependencies, they are contained in docker container)
• DRY => Don't repeat Yourself => once you have configured docker setup on one machine, you can easily run app on other machines with docker

Warning!

Docker is not recommended as a security tool for process isolation, but it is easy to use and obviously provides some benefits.

Therefore, obviously using VMs (e.g. with Vagrant) or full solution like QubesOS is stronger setup, but using this docker setup is better then running apps without any isolation.

Learn more:

• https://github.com/jessfraz/dotfiles/blob/master/.dockerfunc - bash functions for easy starting apps in docker containers giving them only what they need to run
• https://github.com/jessfraz/dockerfiles - and dockerfiles above .dockerfunc depends on
• https://blog.jessfraz.com/post/docker-containers-on-the-desktop/ - blog post about it
• https://www.youtube.com/watch?v=cYsVvV1aVss - and whole great lecture about it!

P.S. Above is similar to Snapcraft approach, that you may experience e.g. in Ubuntu.

P.P.S. "docker as a desktop" is technically incorrect play of words. "as a desktop" in sense of running all of your apps in docker, for such setup you usually want to use normal distro underneath. If you are interested in "docker on bare metal" => https://stackoverflow.com/q/20088835/544721 .

qubes_os-as-a-desktop.md

To make this short gist/note complete, I have to mention about

Qubes OS:

https://www.qubes-os.org/

that allows you to seamlessly run apps in different VMs, and Qubes OS, makes it convenient to use them, like they would run on one window manager / GUI! So it feels like one system, while you run multiple isolated underneath.

Allows great flexibility in isolating what has access to what, what is shared, what isolated, probably most secure pick!

vagrant-as-a-desktop.md

Vagrant is DRY / "infra as code" for VMs, etc.

So you can specify your VM in Vagrantfile and run vagrant up to bulid it from script!

You use provider and provisioner, and for each you have multiple options.

• provider , creates virtual environment, e.g. VirtualBox, Hyper-V (or even Docker as isolation mechanism) https://developer.hashicorp.com/vagrant/docs/providers
• provisioner , setups/configures given environment https://developer.hashicorp.com/vagrant/docs/provisioning (even docker seems possible to be used: https://developer.hashicorp.com/vagrant/docs/provisioning/docker )

(if you want to Q&A "What is the difference between a Vagrant Provider and a Vagrant Provisioner?")

Also environments can be packages into vagrant package format called "boxes":

• boxes https://developer.hashicorp.com/vagrant/docs/boxes

To research:

• Is it possible to setup VirtualBox using Dockerfile (by using VirtualBox as provider and Docker as provisioner?)
  • Q&A: Using Docker inside VirtualBox (preferably via Vagrant / Vagrantfile)
• Pros and cons of vagrant-docker-compose vagrant plugin? mentioned here