25 comments

[ 2.9 ms ] story [ 44.9 ms ] thread
I really want to try this, but I'm a little hesitant with the --privileged flag. Sounds like this is pretty much giving root access to the container? (https://stackoverflow.com/questions/36425230/privileged-cont...)

Could someone (or OP) enlighten me on what requires this flag? I thought the container would also get access to the anbox kernel modules that I have installed already.

The author of aind is here.

--privileged is required for nesting an Anbox (LXC) inside Docker. But you don't need to worry too much because Anbox launches "unprivileged" LXC using user namespaces. You can confirm that all Android process are running as non-root users by executing `docker exec aind ps -ef`.

Ah gotcha, thanks for replying. I spun up a copy on a disposable machine and I was able to VNC into the container and everything. I like the window manager that's installed on it. Seems lightweight. Looking forward to exploring this tool!
But docker runs still with root privileges (or your user must be in the docker group, which is equivalent to root - so is also in the official documentation explained)
Right I get that, it's because the docker daemon needs root access to do its management stuff. But as far as running random "bad things" off docker hub, I always assume it's going to be fenced off. Like by default, the containers cannot read external files or open up host ports, etc. But with --privileged I guess it can do anything.

I'm a big fan of people supplying pre-built docker images because it lets me try out their software in what I assume to be a sandbox. I'm a little less wary when it comes to docker -- almost to the point of being nonchalant, running random images willy-nilly without digging into the source code even a tiny bit. Granted, that behavior is probably gonna bite me in the ass one day. But it's definitely better than the `curl http://example.com | bash -` and `sudo make install` patterns.

Whenever I see someone's instructions telling me to use `docker --network=host` or `docker --privileged`, I can't help but panic a little... "Am I going to regret running this developer's code as root on my machine?" A little justification from the OP eases my mind, that's all. Which he did :)

I think you're putting too much faith in the security of docker... It is only superficially secure, and any real evil software can break out of it since the attack surface is huuuge (every loaded kernel driver).
Docker has a number of security layers that can make breakout more challenging, specifically dropped capabilities, a seccomp filter and (on debian/ubuntu) an AppArmor profile installed.

I wouldn't agree that it's trivially possible to breakout of a default configured Docker container, not every attacker is packing a Linux Privesc 0-day and the knowledge to use it.

It's telling that user namespaces (remapping uid 0 to another hodt uid) aren't used by default.
repeat after me - "there are no isolation boundaries with containers" "containers are insecure"

Containers are broken by default because they share a kernel. If you want to use a container to have a replicable build environment fine - but for operational use in the context of "being secure" - no no no no.

The user who runs the docker command can indeed always get root (with a default install, assuming you're not using rootless) but the process inside the container isn't going to necessarily breakout.

That's why --privileged is generally a bad idea, unless you really need it, as it removes the isolation that Docker adds.

Could this be used to test android apps in CI? Where traditionally you run up against nested virt problems (in aws).

Not mentioned as a purpose..

That was my first thought. Very curious to find out how it would compare to Testlab virtual machines.
I haven't tested, but if UI automator stuff works with Anbox, it should work with aind as well.

I can add it to the scope of the project if it works.

What's the advantage compared to just using Anbox?
Anbox is for desktop, aind is for cloud (and edge).

The biggest advantage of running Android on cloud/edge I think is anti-theft.

Also, it will be soon able to run multiple aind pods on Kubernetes with distinct UID mappings. (I need to submit patches to Anbox upstream)

> The biggest advantage of running Android on cloud/edge I think is anti-theft.

what is this anti-theft? What's being stolen?

Maybe:

Someone steals your smartphone now -> they've got everything , and a smartphone

vs

Someone steals your clouded smartphone -> they've got an empty smartphone and no data.

Making your phone a thin client makes you completely dependent on network; that's a significant tradeoff.
This is a very, very, very bad idea. Just encrypt your phone with a strong passcode and backup regularly. Making your phone entirely dependent on a strong internet connection is a recipe for a bad time.
I agree that the phone should be encrypted (in conjunction with aind), but people are likely to set weak passcode like "1234" (or finger pattern) because they want to open email/phone/twitter/maps/payment apps in a few seconds.

aind is expected to be used only for sensitive apps, with more strong passcode.

a hardware phone whose OS is running in the cloud? that sounds pretty bandwidth-heavy on the LTE network.