Tag: Firefox

apache in docker to serve local website

I have some backup’s of website on my laptop, which I occasionally want to view. Now, I could have setup apache to serve them directly with VirtualHost or alias but wanted a better solution. So, docker comes to rescue.

First, I installed fedora-dockerfiles and then made some modifications, here they are :

sudo yum install fedora-dockerfiles

After this is done, go to /usr/share/fedora-dockerfiles/apache and make some modification to Dockerfile.  After the modifications, the file looks like this

FROM fedora
MAINTAINER “Scott Collier” <[email protected]>

RUN yum -y update; yum clean all
RUN yum -y install httpd; yum clean all
RUN echo “Apache” >> /var/www/html/index.html

EXPOSE 80

# Simple startup script to avoid some issues observed with container restart
ADD run-apache.sh /run-apache.sh
ADD php.conf /etc/httpd/conf.d/php.conf
RUN chmod -v +x /run-apache.sh
RUN yum -y install php

CMD [“/run-apache.sh”]

 

Now copy the php.conf file to current directory.

sudo cp /etc/httpd/conf.d/php.conf .

#Build the docker image
docker build --rm -t apache .

#and then quickly test the image like this -
docker run -t -i --rm -p 80:80 apache

#open the site in firefox
firefox -new-tab http://loccalhost

Once you see that the docker is running fine, time to create a script to do this in your desired directory.
I always have “~/bin” in $PATH, so I created ~/bin/docker.sh file with the following contents:

#!/bin/bash -
#===============================================================================
#
#          FILE: docker_firefox.sh
#
#         USAGE: ./docker_firefox.sh
#
#   DESCRIPTION:
#
#       OPTIONS: ---
#  REQUIREMENTS: ---
#          BUGS: ---
#         NOTES: ---
#        AUTHOR: Amit Agarwal (aka)
#      REVISION:  ---
#===============================================================================

dir="your/desired/directory/with/content/for/website"
echo "Run Ubu website:::"
CID=$(docker run  -d -p 80:80  -v $dir:/var/www/html:ro apache)
echo docker CID is $CID
firefox -new-tab http://localhost/index.php

After this time to test:

Just run this script and you should have the contents of current directory in your browser.

Sandbox Firefox – First step to security

First we will setup cgroup to limit cpu and memory usage, so here we go:

Add the configuration in /etc/cgconfig.conf

#------start cgconfig----------------
#new group
group firefox {
    perm {
        task {
#user your login id and group here, so that you can control this group
        uid = amitag;
        gid = amitag;
        }
        admin {
# same as above, set to your login id and group.
           uid = amitag;
           gid = amitag;
        }
    }
# set the limits for cpu.. by default there are 1024 shares of cpu with no other groups,
# so share of 102 would be around 10% .
    cpu{
        cpu.shares="102";
    }
# limit the cpus to be used to only 0-1
    cpuset{
        cpuset.cpus=0-1;
        cpuset.mems=0;
    }
# limit the maximum memory to 700Mb.
    memory {
        memory.limit_in_bytes="700M";
        memory.max_usage_in_bytes="0";
    }
}
#------end cgconfig----------------

 

 

Now, we will configure cdred service:

For this we will add few lines in /etc/cgrules.conf

#------start cgrules.conf----------------
amitag:firefox cpu,memory   firefox
#------end cgrules.conf----------------

The above will allow cgroup to ensure that whenever you start firefox, it is put in the firefox group for user amitag. So, you would need to change amitag with your username here. Now, the fun part, I know about this only in Fedora (and guess it can be done with apparmour on Ubuntu, but dont know how to do that.) We will make a contianer for the firefox browser so that it cannot access any files from

#------start firefox_sandbox----------------
# If you are getting errors in audit logs, then you may need to do chcon
# chcon -R -t bin_t /home/amitag/Downloads/fedora/Firefox/firefox/
cmd=firefox

find ~/.mozilla -type f >/tmp/ffiles.sbox
find ~/.fluxbox -type f >>/tmp/ffiles.sbox
find ~/GNUstep -type f >>/tmp/ffiles.sbox
find ~/.bash.d/ -type f >>/tmp/ffiles.sbox
find ~/.ssh/ -type f >>/tmp/ffiles.sbox
echo "~/.bashrc" >>/tmp/ffiles.sbox# This is what does the magic...
cgexec --sticky -g cpu,memory,cpuset:firefox sandbox -X -w 1024x768 -W fluxbox -t sandbox_web_t -I /tmp/ffiles.sbox $cmd &
#------end firefox_sandbox----------------

Note: On fedora, I needed the following packages, not sure about ubunut:

  • libcgroup-tools
  • policycoreutils-python
  • fluxbox

cgroups – use to control your cpu and memory

cgroups is a kernel feature and with userspace utilities, we can use the feature to control the cpu and memory for per process. So, lets first install the required tools.

sudo yum install libcgroup-tools

Now, we need to enable the service.

sudo systemctl enable cgconfig.service
sudo systemctl enable cgred.service

cgconfig.service is to enable configuration for cgroups and
cgred.service is to enable configuration for cgroups for processes depending on the name.

Now, we will need to configure the cgroups and configure the groups for the processes. So, lets open up the configuration files and do some configuration:

Here we will use firefox as the group name and use firefox as an example to restrict the memory to 700Mb and cpu to 10%. Since we do not have any other group configured right now, so max being 1024 – 100 shares would be around 10%.

First, open up the /etc/cgconfig.conf file and add the following. You would need to replace below with your username.

group firefox {
perm {
task {
uid = ;
gid = ;
}
admin {
uid = ;
gid = ;
}
}

cpu{
cpu.shares=”102″;
}
cpuset{
cpuset.cpus=0;
cpuset.mems=0;
}
memory {
memory.limit_in_bytes=”700M”;
memory.max_usage_in_bytes=”0″;
}
}

Now, we edit the /etc/cgrules.conf file and add the following:

:sandbox cpu,memory firefox
::firefox cpu,memory firefox

All done. Now, time to test.

First restart the services.

sudo systemctl restart cgconfig.service
sudo systemctl restart cgred.service

Check, if the cgroup is created. Go to directory:

/sys/fs/cgroup/memory or /sys/fs/cgroup/cpu

and check directory firefox exists.

Note: You can check the cgroup mount directory with mount command to see where your cgroups are mounted.

Now, start firefox, check the pid and check the file /proc//cgroup and you should see something like this:

11:hugetlb:/
10:perf_event:/
9:blkio:/
8:net_cls:/
7:freezer:/
6:devices:/
5:memory:/firefox
4:cpuacct,cpu:/firefox
3:cpuset:/
2:name=systemd:/user.slice/user-1000.slice/session-1.scope

and this is it.

Enhanced by Zemanta