Last active
December 6, 2023 22:37
-
-
Save nrclark/2d543fbfcf917ed35824449d09b0e7ff to your computer and use it in GitHub Desktop.
Makefile that shows how to run Windows apps from a Docker container on WSL2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Shell script example of how to run Windows tools from inside | |
# of a Docker container on WSL2. Note that | |
# env_vars returns a list of all input words that are defined | |
# in the environment. | |
env_vars = $(strip $(foreach x,$1,$(if $(filter environment,$(origin $x)),$x,))) | |
WSL_VARS := $(sort $(call env_vars,$(filter WSL%,$(.VARIABLES)))) | |
comma := , | |
#-----------------------------------------------------------------------------# | |
clean:: | |
rm -f seccomp-default.json | |
rm -f seccomp-allow-sockets.json | |
# This commit was the tip of 'master' when checked on 2023-Dec-06 | |
MOBY_COMMIT := 891241e7e74d4aae6de5f6125574eb994f25e169 | |
seccomp-default.json: | |
#Note: this seccomp profile is the one Docker uses by default when launching containers. | |
#Our intent is to patch it as lightly as possible. | |
curl -s "https://raw.githubusercontent.com/moby/moby/$(MOBY_COMMIT)/profiles/seccomp/default.json" | jq > $@ | |
seccomp-allow-sockets.json: seccomp-perms.patch seccomp-default.json | |
patch -o $@ $(filter %.json,$^) $< | |
#-----------------------------------------------------------------------------# | |
run: $(if $(WSL_VARS),seccomp-allow-sockets.json,) | |
$(strip docker run --rm -it \ | |
--mount type=bind,source=/mnt,target=/mnt \ | |
$(if $(WSL_VARS),--mount type=bind$(comma)source=/run/WSL$(comma)target=/run/WSL) \ | |
--mount type=bind,source=/etc/passwd,target=/etc/passwd,readonly \ | |
--mount type=bind,source=/etc/group,target=/etc/group,readonly \ | |
--mount "type=bind,source=${HOME},target=${HOME}" \ | |
--workdir "${HOME}" \ | |
-u $$(id -u):$$(id -g) \ | |
$(if $(WSL_VARS),--security-opt seccomp=seccomp-allow-sockets.json,) \ | |
$(foreach x,$(WSL_VARS),--env $x="$${$x}") \ | |
ubuntu \ | |
sh -c '/mnt/c/Windows/system32/notepad.exe' \ | |
) | |
#-----------------------------------------------------------------------------# | |
#This patch is applied against Docker's default seccomp profile, | |
#and enables sockets while leaving everything else alone. When | |
#The result can be used with docker-run under WSL2 to allow your | |
#containers to launch Windows binaries. Very helpful from time to | |
#time. | |
define patch_contents | |
--- seccomp-default.json | |
+++ seccomp-allow-sockets.json | |
@@ -421,14 +421,7 @@ | |
"names": [ | |
"socket" | |
], | |
- "action": "SCMP_ACT_ALLOW", | |
- "args": [ | |
- { | |
- "index": 0, | |
- "value": 40, | |
- "op": "SCMP_CMP_NE" | |
- } | |
- ] | |
+ "action": "SCMP_ACT_ALLOW" | |
}, | |
{ | |
"names": [ | |
endef | |
define \n | |
endef | |
seccomp-perms.patch: | |
printf -- '$(subst $(\n),\n,$(patch_contents))\n' >$@ | |
clean:: | |
rm -f seccomp-perms.patch | |
#-----------------------------------------------------------------------------# |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment