fcwu/docker-ubuntu-vnc-desktop (Ubuntu 18.04, 20.04)

https://github.com/fcwu/docker-ubuntu-vnc-desktop provides a convenient setup. That setup is not minimized. It would be good to minimize it. But I just don't have the time, and that one just works every time I try, so I tend to just use it. On the upside, because it is not minimized, it tends to test more complex programs you might actually to see that they are actually working through the infinitely many pitfalls of Docker. Also, since setups breaks on every guest/host update, a minimization would arguably only work for a limited period until you'd have to reminimize that project again.

要启动它，只需运行:

sudo docker run --name ubvnc -p 6080:80 -p 5900:5900 dorowu/ubuntu-desktop-lxde-vnc:focal

然后在主机上:

visit: http://127.0.0.1:6080/#/ which runs a noVNC more limited JavaScript VNC client run: sudo apt-get install tigervnc-viewer xtigervncviewer :5900 To go into fullscreen mode, hit F8 and click on menu entry, or just F8 followed by T: https://superuser.com/questions/285843/how-do-i-switch-in-out-of-fullscreen-mode-from-the-command-line-in-realvnc You might need to close and reopen the screen after that for the image to get larger. I also tried vinagre, but it was much laggier when scrolling Firefox on YouTube. Inside vinagre, you might want to go into full screen mode to be able to see the full desktop

要退出，只需杀死码头码头。并重新启动机器:

sudo docker start ubvnc

然后重新连接VNC。然后退出机器:

sudo docker stop ubvnc

您必须等待几秒钟，等待客户机上的VNC服务器启动，然后才能进行连接。

客人体内的铬不会从菜单开始。如果你试图从命令行启动它，它会解释为什么:

Running as root without --no-sandbox is not supported. See https://crbug.com/638180.

所以只需从CLI运行它:

chromium-browser --no-sandbox

然而，Firefox并不在意。

待办事项:没有音频。——device /dev/snd没有帮助:

如何在Mac OS Yosemite上的Docker容器中播放声音 https://forums.docker.com/t/how-to-get-sound/36527 https://github.com/fcwu/docker-ubuntu-vnc-desktop/issues/49

编辑:他们为它增加了一个部分:https://github.com/fcwu/docker-ubuntu-vnc-desktop/tree/e4922ce92f945fc482994b7a0fd95ca5de7295b3#sound-preview-version-and-linux-only

参见:

如何在Docker映像中打开Ubuntu GUI

测试:

Ubuntu 19.04主机，fcwu/docker-ubuntu-vnc-desktop, dorowu/ Ubuntu -desktop-lxde-vnc镜像id: 70516b87e92d。 Ubuntu 21.10主机:dorowu/ Ubuntu -desktop-lxde-vnc:focal (Ubuntu 20.04)

根据Jürgen Weigert的回答，我有一些改进:

docker build -t xeyes - << __EOF__
FROM debian
RUN apt-get update
RUN apt-get install -qqy x11-apps
ENV DISPLAY :0
CMD xeyes
__EOF__
XSOCK=/tmp/.X11-unix
XAUTH_DIR=/tmp/.docker.xauth
XAUTH=$XAUTH_DIR/.xauth
mkdir -p $XAUTH_DIR && touch $XAUTH
xauth nlist $DISPLAY | sed -e 's/^..../ffff/' | xauth -f $XAUTH nmerge -
docker run -ti -v $XSOCK:$XSOCK -v $XAUTH_DIR:$XAUTH_DIR -e XAUTHORITY=$XAUTH xeyes

唯一的区别是它创建了一个目录$XAUTH_DIR，用于放置$XAUTH文件，并将$XAUTH_DIR目录而不是$XAUTH文件挂载到docker容器中。

这种方法的好处是你可以在/etc/rc.中写入命令在/tmp目录下创建一个名为$XAUTH_DIR的空文件夹，并将其模式更改为777。

tr '\n' '\000' < /etc/rc.local | sudo tee /etc/rc.local >/dev/null
sudo sed -i 's|\x00XAUTH_DIR=.*\x00\x00|\x00|' /etc/rc.local >/dev/null
tr '\000' '\n' < /etc/rc.local | sudo tee /etc/rc.local >/dev/null
sudo sed -i 's|^exit 0.*$|XAUTH_DIR=/tmp/.docker.xauth; rm -rf $XAUTH_DIR; install -m 777 -d $XAUTH_DIR\n\nexit 0|' /etc/rc.local

当系统重启时，在用户登录前，如果容器的重启策略为always, docker会自动挂载$XAUTH_DIR目录。用户登录后，可以在~/中写入命令。配置文件是创建$XAUTH文件，然后容器将自动使用这个$XAUTH文件。

tr '\n' '\000' < ~/.profile | sudo tee ~/.profile >/dev/null
sed -i 's|\x00XAUTH_DIR=.*-\x00|\x00|' ~/.profile
tr '\000' '\n' < ~/.profile | sudo tee ~/.profile >/dev/null
echo "XAUTH_DIR=/tmp/.docker.xauth; XAUTH=\$XAUTH_DIR/.xauth; touch \$XAUTH; xauth nlist \$DISPLAY | sed -e 's/^..../ffff/' | xauth -f \$XAUTH nmerge -" >> ~/.profile

毕竟，容器将在每次系统重新启动和用户登录时自动获取Xauthority文件。

我刚刚发现了这篇博客，想在这里与你们分享，因为我认为这是最好的方法，而且很简单。

http://fabiorehm.com/blog/2014/09/11/running-gui-apps-with-docker/

优点: + docker容器中没有x服务器的东西 +不需要VNC客户端/服务器 + SSH不支持x转发 +更小的docker容器

缺点: 在主机上使用x(不是为了安全沙箱)

以防链接有一天会失败，我把最重要的部分放在这里: dockerfile:

FROM ubuntu:14.04

RUN apt-get update && apt-get install -y firefox

# Replace 1000 with your user / group id
RUN export uid=1000 gid=1000 && \
    mkdir -p /home/developer && \
    echo "developer:x:${uid}:${gid}:Developer,,,:/home/developer:/bin/bash" >> /etc/passwd && \
    echo "developer:x:${uid}:" >> /etc/group && \
    echo "developer ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/developer && \
    chmod 0440 /etc/sudoers.d/developer && \
    chown ${uid}:${gid} -R /home/developer

USER developer
ENV HOME /home/developer
CMD /usr/bin/firefox

构建映像:

docker build -t firefox .

run命令:

docker run -ti --rm \
   -e DISPLAY=$DISPLAY \
   -v /tmp/.X11-unix:/tmp/.X11-unix \
   firefox

当然，你也可以在运行命令中使用sh -c "echo script-here"

提示:音频请查看:https://stackoverflow.com/a/28985715/2835523

OSX

Jürgen Weigert有最好的答案，在Ubuntu上为我工作，然而在OSX上，docker运行在VirtualBox内部，所以解决方案没有更多的工作就不能工作。

我让它和这些额外的配料一起工作:

Xquartz (OSX不再随X11服务器发货) 使用socat进行Socket转发 Bash脚本启动容器

我很感激用户的评论来改善OSX的这个答案，我不确定套接字转发X是否安全，但我的预期用途是只在本地运行docker容器。

此外，该脚本有点脆弱，因为它不容易获得机器的IP地址，因为它是在我们的本地无线，所以它总是一些随机的IP。

我用来启动容器的BASH脚本:

#!/usr/bin/env bash

CONTAINER=py3:2016-03-23-rc3
COMMAND=/bin/bash
NIC=en0

# Grab the ip address of this box
IPADDR=$(ifconfig $NIC | grep "inet " | awk '{print $2}')

DISP_NUM=$(jot -r 1 100 200)  # random display number between 100 and 200

PORT_NUM=$((6000 + DISP_NUM)) # so multiple instances of the container won't interfer with eachother

socat TCP-LISTEN:${PORT_NUM},reuseaddr,fork UNIX-CLIENT:\"$DISPLAY\" 2>&1 > /dev/null &

XSOCK=/tmp/.X11-unix
XAUTH=/tmp/.docker.xauth.$USER.$$
touch $XAUTH
xauth nlist $DISPLAY | sed -e 's/^..../ffff/' | xauth -f $XAUTH nmerge -

docker run \
    -it \
    --rm \
    --user=$USER \
    --workdir="/Users/$USER" \
    -v "/Users/$USER:/home/$USER:rw" \
    -v $XSOCK:$XSOCK:rw \
    -v $XAUTH:$XAUTH:rw \
    -e DISPLAY=$IPADDR:$DISP_NUM \
    -e XAUTHORITY=$XAUTH \
    $CONTAINER \
    $COMMAND

rm -f $XAUTH
kill %1       # kill the socat job launched above

我能够让xeyes和matplotlib使用这种方法工作。

Windows 7 +。

在Windows 7+上使用MobaXterm更容易一些:

为windows安装MobaXterm 开始MobaXterm 配置X服务器:“设置”—“> X11 (tab)”—“> X11远程访问”设置为“full” 使用这个BASH脚本启动容器

run_docker.bash:

#!/usr/bin/env bash

CONTAINER=py3:2016-03-23-rc3
COMMAND=/bin/bash
DISPLAY="$(hostname):0"
USER=$(whoami)

docker run \
    -it \
    --rm \
    --user=$USER \
    --workdir="/home/$USER" \
    -v "/c/Users/$USER:/home/$USER:rw" \
    -e DISPLAY \
    $CONTAINER \
    $COMMAND

共享主机显示:0，正如在其他一些回答中所述，有两个缺点:

由于某些X安全漏洞，它打破了容器隔离。例如，可以使用xev或xinput进行键盘记录，使用xdotool远程控制主机应用程序。 由于X扩展MIT-SHM缺少共享内存，应用程序可能会出现呈现故障和糟糕的RAM访问错误。(也可以通过隔离降级选项——ipc=host进行修复)。

下面是一个在Xephyr中运行docker映像的示例脚本，可以解决这个问题。

当docker应用程序运行在嵌套的X服务器上时，它避免了X安全泄漏。 MIT-SHM关闭，避免RAM访问失败。 容器安全性通过——cap-drop ALL——security-opt no-new-privileges得到改进。容器用户也不是root用户。 创建一个X cookie来限制对Xephyr显示的访问。

脚本需要一些参数，第一个是在Xephyr中运行的主机窗口管理器，第二个是docker映像，第三个是可选的 要执行的映像命令。 要在docker中运行桌面环境，请使用“:”而不是主机窗口管理器。

关闭Xephyr窗口将终止docker容器应用程序。终止停靠的应用程序关闭Xephyr窗口。

例子:

x11docker/lxde pcmanfm . xphyrdocker "openbox——sm-disable Xephyrdocker: x11docker/lxde Xephyrdocker xfwm4——device /dev/snd jess/nes /games/zelda.rom

xephyrdocker script:

#! /bin/bash
#
# Xephyrdocker:     Example script to run docker GUI applications in Xephyr.
#
# Usage:
#   Xephyrdocker WINDOWMANAGER DOCKERIMAGE [IMAGECOMMAND [ARGS]]
#
# WINDOWMANAGER     host window manager for use with single GUI applications.
#                   To run without window manager from host, use ":"
# DOCKERIMAGE       docker image containing GUI applications or a desktop
# IMAGECOMMAND      command to run in image
#
Windowmanager="$1" && shift
Dockerimage="$*"

# Container user
Useruid=$(id -u)
Usergid=$(id -g)
Username="$(id -un)"
[ "$Useruid" = "0" ] && Useruid=1000 && Usergid=1000 && Username="user$Useruid"

# Find free display number
for ((Newdisplaynumber=1 ; Newdisplaynumber <= 100 ; Newdisplaynumber++)) ; do
  [ -e /tmp/.X11-unix/X$Newdisplaynumber ] || break
done
Newxsocket=/tmp/.X11-unix/X$Newdisplaynumber

# cache folder and files
Cachefolder=/tmp/Xephyrdocker_X$Newdisplaynumber
[ -e "$Cachefolder" ] && rm -R "$Cachefolder"
mkdir -p $Cachefolder
Xclientcookie=$Cachefolder/Xcookie.client
Xservercookie=$Cachefolder/Xcookie.server
Xinitrc=$Cachefolder/xinitrc
Etcpasswd=$Cachefolder/passwd

# command to run docker
# --rm                               created container will be discarded.
# -e DISPLAY=$Newdisplay             set environment variable to new display
# -e XAUTHORITY=/Xcookie             set environment variable XAUTHORITY to provided cookie
# -v $Xclientcookie:/Xcookie:ro      provide cookie file to container
# -v $NewXsocket:$NewXsocket:ro      Share new X socket of Xephyr
# --user $Useruid:$Usergid           Security: avoid root in container
# -v $Etcpasswd:/etc/passwd:ro       /etc/passwd file with user entry
# --group-add audio                  Allow access to /dev/snd if shared with '--device /dev/snd' 
# --cap-drop ALL                     Security: disable needless capabilities
# --security-opt no-new-privileges   Security: forbid new privileges
Dockercommand="docker run --rm \
  -e DISPLAY=:$Newdisplaynumber \
  -e XAUTHORITY=/Xcookie \
  -v $Xclientcookie:/Xcookie:ro \
  -v $Newxsocket:$Newxsocket:rw \
  --user $Useruid:$Usergid \
  -v $Etcpasswd:/etc/passwd:ro \
  --group-add audio \
  --env HOME=/tmp \
  --cap-drop ALL \
  --security-opt no-new-privileges \
  $(command -v docker-init >/dev/null && echo --init) \
  $Dockerimage"

echo "docker command: 
$Dockercommand
"

# command to run Xorg or Xephyr
# /usr/bin/Xephyr                an absolute path to X server executable must be given for xinit
# :$Newdisplaynumber             first argument has to be new display
# -auth $Xservercookie           path to cookie file for X server. Must be different from cookie file of client, not sure why
# -extension MIT-SHM             disable MIT-SHM to avoid rendering glitches and bad RAM access (+ instead of - enables it)
# -nolisten tcp                  disable tcp connections for security reasons
# -retro                         nice retro look
Xcommand="/usr/bin/Xephyr :$Newdisplaynumber \
  -auth $Xservercookie \
  -extension MIT-SHM \
  -nolisten tcp \
  -screen 1000x750x24 \
  -retro"

echo "X server command:
$Xcommand
"

# create /etc/passwd with unprivileged user
echo "root:x:0:0:root:/root:/bin/sh" >$Etcpasswd
echo "$Username:x:$Useruid:$Usergid:$Username,,,:/tmp:/bin/sh" >> $Etcpasswd

# create xinitrc
{ echo "#! /bin/bash"

  echo "# set environment variables to new display and new cookie"
  echo "export DISPLAY=:$Newdisplaynumber"
  echo "export XAUTHORITY=$Xclientcookie"

  echo "# same keyboard layout as on host"
  echo "echo '$(setxkbmap -display $DISPLAY -print)' | xkbcomp - :$Newdisplaynumber"

  echo "# create new XAUTHORITY cookie file" 
  echo ":> $Xclientcookie"
  echo "xauth add :$Newdisplaynumber . $(mcookie)"
  echo "# create prepared cookie with localhost identification disabled by ffff,"
  echo "# needed if X socket is shared instead connecting over tcp. ffff means 'familiy wild'"
  echo 'Cookie=$(xauth nlist '":$Newdisplaynumber | sed -e 's/^..../ffff/')" 
  echo 'echo $Cookie | xauth -f '$Xclientcookie' nmerge -'
  echo "cp $Xclientcookie $Xservercookie"
  echo "chmod 644 $Xclientcookie"

  echo "# run window manager in Xephyr"
  echo $Windowmanager' & Windowmanagerpid=$!'

  echo "# show docker log"
  echo 'tail --retry -n +1 -F '$Dockerlogfile' 2>/dev/null & Tailpid=$!'

  echo "# run docker"
  echo "$Dockercommand"
} > $Xinitrc

xinit  $Xinitrc -- $Xcommand
rm -Rf $Cachefolder

这个脚本在x11docker wiki上维护。 更高级的脚本是x11docker，它还支持GPU加速、网络摄像头和打印机共享等功能。

我通过以下步骤从USB摄像头使用opencv在docker中运行视频流:

Let docker access the X server xhost +local:docker Create the X11 Unix socket and the X authentication file XSOCK=/tmp/.X11-unix XAUTH=/tmp/.docker.xauth Add proper permissions xauth nlist $DISPLAY | sed -e 's/^..../ffff/' | xauth -f $XAUTH nmerge - Set the Qt rendering speed to "native", so it doesn't bypass the X11 rendering engine export QT_GRAPHICSSYSTEM=native Tell Qt to not use MIT-SHM (shared memory) - that way it should be also safer security-wise export QT_X11_NO_MITSHM=1 Update the docker run command docker run -it \ -e DISPLAY=$DISPLAY \ -e XAUTHORITY=$XAUTH \ -v $XSOCK:$XSOCK \ -v $XAUTH:$XAUTH \ --runtime=nvidia \ --device=/dev/video0:/dev/video0 \ nvcr.io/nvidia/pytorch:19.10-py3

注意:当你完成项目时，返回默认值的访问控制- xhost -local:docker

更多细节:使用GUI的Docker

图片来源:使用Tensorflow、OpenCV和Docker进行实时和视频处理对象检测