From 0eff17022330290da845d38c75f7d8259e80f9a7 Mon Sep 17 00:00:00 2001 From: thelamer Date: Sat, 19 Jul 2025 14:23:22 -0400 Subject: [PATCH] selkies branch --- Dockerfile | 9 ++- Dockerfile.aarch64 | 9 ++- Jenkinsfile | 4 +- README.md | 158 ++++++++++++++++++++++++++++++++++++++------- jenkins-vars.yml | 4 +- readme-vars.yml | 96 ++------------------------- 6 files changed, 159 insertions(+), 121 deletions(-) diff --git a/Dockerfile b/Dockerfile index 07cbab4..3cd1c8e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -FROM ghcr.io/linuxserver/baseimage-kasmvnc:debianbookworm +FROM ghcr.io/linuxserver/baseimage-selkies:debianbookworm # set version label ARG BUILD_DATE @@ -13,13 +13,18 @@ LABEL maintainer="thelamer" ENV TITLE=Altus RUN \ + echo "**** add icon ****" && \ + curl -o \ + /usr/share/selkies/www/icon.png \ + https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/altus-logo.png && \ echo "**** install packages ****" && \ apt-get update && \ DEBIAN_FRONTEND=noninteractive \ apt-get install --no-install-recommends -y \ libatk1.0-0 \ libatk-bridge2.0-0 \ - libgtk-3-0 && \ + libgtk-3-0 \ + libnss3 && \ echo "**** install altus studio from appimage ****" && \ if [ -z "${ALTUS_VERSION+x}" ]; then \ ALTUS_VERSION=$(curl -sX GET "https://api.github.com/repos/amanharwara/altus/releases/latest" \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 0278c92..1b04340 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -33,7 +33,7 @@ RUN \ ln -s /opt/altus/Altus /opt/altus/altus # runtime stage -FROM ghcr.io/linuxserver/baseimage-kasmvnc:arm64v8-debianbookworm +FROM ghcr.io/linuxserver/baseimage-selkies:arm64v8-debianbookworm # set version label ARG BUILD_DATE @@ -48,13 +48,18 @@ ENV TITLE=Altus COPY --from=build-stage /opt/altus /opt/altus RUN \ + echo "**** add icon ****" && \ + curl -o \ + /usr/share/selkies/www/icon.png \ + https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/altus-logo.png && \ echo "**** install packages ****" && \ apt-get update && \ DEBIAN_FRONTEND=noninteractive \ apt-get install --no-install-recommends -y \ libatk1.0-0 \ libatk-bridge2.0-0 \ - libgtk-3-0 && \ + libgtk-3-0 \ + libnss3 && \ sed -i 's|| \n yes\n \n|' /etc/xdg/openbox/rc.xml && \ printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \ echo "**** cleanup ****" && \ diff --git a/Jenkinsfile b/Jenkinsfile index 047428b..c90bb92 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -32,8 +32,8 @@ pipeline { MULTIARCH = 'true' CI = 'true' CI_WEB = 'true' - CI_PORT = '3000' - CI_SSL = 'false' + CI_PORT = '3001' + CI_SSL = 'true' CI_DELAY = '120' CI_DOCKERENV = '' CI_AUTH = '' diff --git a/README.md b/README.md index a56b56f..a44cf5a 100644 --- a/README.md +++ b/README.md @@ -58,38 +58,151 @@ The architectures supported by this image are: The application can be accessed at: -* http://yourhost:3000/ * https://yourhost:3001/ -### Options in all KasmVNC based GUI containers +### Strict reverse proxies -This container is based on [Docker Baseimage KasmVNC](https://github.com/linuxserver/docker-baseimage-kasmvnc) which means there are additional environment variables and run configurations to enable or disable specific functionality. +This image uses a self-signed certificate by default. This naturally means the scheme is `https`. +If you are using a reverse proxy which validates certificates, you need to [disable this check for the container](https://docs.linuxserver.io/faq#strict-proxy). -#### Optional environment variables +**Modern GUI desktop apps may have compatibility issues with the latest Docker syscall restrictions. You can use Docker with the `--security-opt seccomp=unconfined` setting to allow these syscalls on hosts with older Kernels or libseccomp versions.** + +### Security + +>[!WARNING] +>This container provides privileged access to the host system. Do not expose it to the Internet unless you have secured it properly. + +**HTTPS is required for full functionality.** Modern browser features such as WebCodecs, used for video and audio, will not function over an insecure HTTP connection. + +By default, this container has no authentication. The optional `CUSTOM_USER` and `PASSWORD` environment variables enable basic HTTP auth, which is suitable only for securing the container on a trusted local network. For internet exposure, we strongly recommend placing the container behind a reverse proxy, such as [SWAG](https://github.com/linuxserver/docker-swag), with a robust authentication mechanism. + +The web interface includes a terminal with passwordless `sudo` access. Any user with access to the GUI can gain root control within the container, install arbitrary software, and probe your local network. + +### Options in all Selkies-based GUI containers + +This container is based on [Docker Baseimage Selkies](https://github.com/linuxserver/docker-baseimage-selkies), which provides the following environment variables and run configurations to customize its functionality. + +#### Optional Environment Variables | Variable | Description | | :----: | --- | -| CUSTOM_PORT | Internal port the container listens on for http if it needs to be swapped from the default 3000. | -| CUSTOM_HTTPS_PORT | Internal port the container listens on for https if it needs to be swapped from the default 3001. | -| CUSTOM_USER | HTTP Basic auth username, abc is default. | -| PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth | -| SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/` | -| TITLE | The page title displayed on the web browser, default "KasmVNC Client". | -| FM_HOME | This is the home directory (landing) for the file manager, default "/config". | -| START_DOCKER | If set to false a container with privilege will not automatically start the DinD Docker setup. | -| DRINODE | If mounting in /dev/dri for [DRI3 GPU Acceleration](https://www.kasmweb.com/kasmvnc/docs/master/gpu_acceleration.html) allows you to specify the device to use IE `/dev/dri/renderD128` | - -#### Optional run configurations +| `CUSTOM_PORT` | Internal HTTP port. Defaults to `3000`. | +| `CUSTOM_HTTPS_PORT` | Internal HTTPS port. Defaults to `3001`. | +| `CUSTOM_USER` | Username for HTTP Basic Auth. Defaults to `abc`. | +| `PASSWORD` | Password for HTTP Basic Auth. If unset, authentication is disabled. | +| `SUBFOLDER` | Application subfolder for reverse proxy configurations. Must include leading and trailing slashes, e.g., `/subfolder/`. | +| `TITLE` | Page title displayed in the web browser. Defaults to "Selkies". | +| `START_DOCKER` | If set to `false`, the privileged Docker-in-Docker setup will not start automatically. | +| `DISABLE_IPV6` | Set to `true` to disable IPv6 support in the container. | +| `LC_ALL` | Sets the container's locale, e.g., `fr_FR.UTF-8`. | +| `DRINODE` | If mounting in /dev/dri for DRI3 GPU Acceleration allows you to specify the device to use IE `/dev/dri/renderD128` | +| `NO_DECOR` | If set, applications will run without window borders, suitable for PWA usage. | +| `NO_FULL` | If set, applications will not be automatically fullscreened. | +| `DISABLE_ZINK` | If set, Zink-related environment variables will not be configured when a video card is detected. | +| `WATERMARK_PNG` | Full path to a watermark PNG file inside the container, e.g., `/usr/share/selkies/www/icon.png`. | +| `WATERMARK_LOCATION` | Integer specifying the watermark location: `1` (Top Left), `2` (Top Right), `3` (Bottom Left), `4` (Bottom Right), `5` (Centered), `6` (Animated). | + +#### Optional Run Configurations + +| Argument | Description | +| :----: | --- | +| `--privileged` | Starts a Docker-in-Docker (DinD) environment. For better performance, mount the Docker data directory from the host, e.g., `-v /path/to/docker-data:/var/lib/docker`. | +| `-v /var/run/docker.sock:/var/run/docker.sock` | Mounts the host's Docker socket to manage host containers from within this container. | +| `--device /dev/dri:/dev/dri` | Mount a GPU into the container, this can be used in conjunction with the `DRINODE` environment variable to leverage a host video card for GPU accelerated applications. Only **Open Source** drivers are supported IE (Intel,AMDGPU,Radeon,ATI,Nouveau) | -| Variable | Description | +### Language Support - Internationalization + +To launch the desktop session in a different language, set the `LC_ALL` environment variable. For example: + +* `-e LC_ALL=zh_CN.UTF-8` - Chinese +* `-e LC_ALL=ja_JP.UTF-8` - Japanese +* `-e LC_ALL=ko_KR.UTF-8` - Korean +* `-e LC_ALL=ar_AE.UTF-8` - Arabic +* `-e LC_ALL=ru_RU.UTF-8` - Russian +* `-e LC_ALL=es_MX.UTF-8` - Spanish (Latin America) +* `-e LC_ALL=de_DE.UTF-8` - German +* `-e LC_ALL=fr_FR.UTF-8` - French +* `-e LC_ALL=nl_NL.UTF-8` - Netherlands +* `-e LC_ALL=it_IT.UTF-8` - Italian + +### DRI3 GPU Acceleration + +For accelerated apps or games, render devices can be mounted into the container and leveraged by applications using: + +`--device /dev/dri:/dev/dri` + +This feature only supports **Open Source** GPU drivers: + +| Driver | Description | +| :----: | --- | +| Intel | i965 and i915 drivers for Intel iGPU chipsets | +| AMD | AMDGPU, Radeon, and ATI drivers for AMD dedicated or APU chipsets | +| NVIDIA | nouveau2 drivers only, closed source NVIDIA drivers lack DRI3 support | + +The `DRINODE` environment variable can be used to point to a specific GPU. + +DRI3 will work on aarch64 given the correct drivers are installed inside the container for your chipset. + +### Nvidia GPU Support + +**Note: Nvidia support is not available for Alpine-based images.** + +Nvidia GPU support is available by leveraging Zink for OpenGL. When a compatible Nvidia GPU is passed through, it will also be **automatically utilized for hardware-accelerated video stream encoding** (using the `x264enc` full-frame profile), significantly reducing CPU load. + +Enable Nvidia support with the following runtime flags: + +| Flag | Description | | :----: | --- | -| `--privileged` | Will start a Docker in Docker (DinD) setup inside the container to use docker in an isolated environment. For increased performance mount the Docker directory inside the container to the host IE `-v /home/user/docker-data:/var/lib/docker`. | -| `-v /var/run/docker.sock:/var/run/docker.sock` | Mount in the host level Docker socket to either interact with it via CLI or use Docker enabled applications. | -| `--device /dev/dri:/dev/dri` | Mount a GPU into the container, this can be used in conjunction with the `DRINODE` environment variable to leverage a host video card for GPU accelerated appplications. Only **Open Source** drivers are supported IE (Intel,AMDGPU,Radeon,ATI,Nouveau) | +| `--gpus all` | Passes all available host GPUs to the container. This can be filtered to specific GPUs. | +| `--runtime nvidia` | Specifies the Nvidia runtime, which provides the necessary drivers and tools from the host. | + +For Docker Compose, you must first configure the Nvidia runtime as the default on the host: + +``` +sudo nvidia-ctk runtime configure --runtime=docker --set-as-default +sudo systemctl restart docker +``` + +Then, assign the GPU to the service in your `compose.yaml`: + +``` +services: + altus: + image: lscr.io/linuxserver/altus:latest + deploy: + resources: + reservations: + devices: + - driver: nvidia + count: 1 + capabilities: [compute,video,graphics,utility] +``` -### Lossless mode +### Application Management -This container is capable of delivering a true lossless image at a high framerate to your web browser by changing the Stream Quality preset to "Lossless", more information [here](https://www.kasmweb.com/docs/latest/how_to/lossless.html#technical-background). In order to use this mode from a non localhost endpoint the HTTPS port on 3001 needs to be used. If using a reverse proxy to port 3000 specific headers will need to be set as outlined [here](https://github.com/linuxserver/docker-baseimage-kasmvnc#lossless). +There are two methods for installing applications inside the container: PRoot Apps (recommended for persistence) and Native Apps. + +#### PRoot Apps (Persistent) + +Natively installed packages (e.g., via `apt-get install`) will not persist if the container is recreated. To retain applications and their settings across container updates, we recommend using [proot-apps](https://github.com/linuxserver/proot-apps). These are portable applications installed to the user's persistent `$HOME` directory. + +To install an application, use the command line inside the container: + +``` +proot-apps install filezilla +``` + +A list of supported applications is available [here](https://github.com/linuxserver/proot-apps?tab=readme-ov-file#supported-apps). + +#### Native Apps (Non-Persistent) + +You can install packages from the system's native repository using the [universal-package-install](https://github.com/linuxserver/docker-mods/tree/universal-package-install) mod. This method will increase the container's start time and is not persistent. Add the following to your `compose.yaml`: + +```yaml + environment: + - DOCKER_MODS=linuxserver/mods:universal-package-install + - INSTALL_PACKAGES=libfuse2|git|gdb +``` ## Usage @@ -144,7 +257,7 @@ Containers are configured using parameters passed at runtime (such as those abov | Parameter | Function | | :----: | --- | -| `-p 3000:3000` | Altus desktop gui. | +| `-p 3000:3000` | Altus desktop gui HTTP, must be proxied. | | `-p 3001:3001` | Altus desktop gui HTTPS. | | `-e PUID=1000` | for UserID - see below for explanation | | `-e PGID=1000` | for GroupID - see below for explanation | @@ -315,6 +428,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **12.07.25:** - Rebase to Selkies, HTTPS IS NOW REQUIRED. * **19.10.24:** - Switch to multi-arch. * **29.01.24:** - Structural changes for v5. * **07.12.23:** - Initial release. diff --git a/jenkins-vars.yml b/jenkins-vars.yml index 0cc09e4..826166b 100644 --- a/jenkins-vars.yml +++ b/jenkins-vars.yml @@ -20,8 +20,8 @@ repo_vars: - MULTIARCH = 'true' - CI = 'true' - CI_WEB = 'true' - - CI_PORT = '3000' - - CI_SSL = 'false' + - CI_PORT = '3001' + - CI_SSL = 'true' - CI_DELAY = '120' - CI_DOCKERENV = '' - CI_AUTH = '' diff --git a/readme-vars.yml b/readme-vars.yml index a89e12e..8314b5a 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -20,7 +20,7 @@ param_volumes: - {vol_path: "/config", vol_host_path: "/path/to/{{ project_name }}/config", desc: "Users home directory in the container, stores program settings and files."} param_usage_include_ports: true param_ports: - - {external_port: "3000", internal_port: "3000", port_desc: "Altus desktop gui."} + - {external_port: "3000", internal_port: "3000", port_desc: "Altus desktop gui HTTP, must be proxied."} - {external_port: "3001", internal_port: "3001", port_desc: "Altus desktop gui HTTPS."} custom_params: - {name: "shm-size", name_compose: "shm_size", value: "1gb", desc: "Required for electron apps to fucntion properly."} @@ -29,105 +29,19 @@ opt_security_opt_param_vars: - {run_var: "seccomp=unconfined", compose_var: "seccomp:unconfined", desc: "For Docker Engine only, many modern gui apps need this to function on older hosts as syscalls are unknown to Docker."} readonly_supported: false nonroot_supported: false +# Selkies blurb settings +selkies_blurb: true +show_nvidia: true # application setup block app_setup_block_enabled: true app_setup_block: | The application can be accessed at: - * http://yourhost:3000/ * https://yourhost:3001/ - ### Options in all KasmVNC based GUI containers - - This container is based on [Docker Baseimage KasmVNC](https://github.com/linuxserver/docker-baseimage-kasmvnc) which means there are additional environment variables and run configurations to enable or disable specific functionality. - - #### Optional environment variables - - | Variable | Description | - | :----: | --- | - | CUSTOM_PORT | Internal port the container listens on for http if it needs to be swapped from the default 3000. | - | CUSTOM_HTTPS_PORT | Internal port the container listens on for https if it needs to be swapped from the default 3001. | - | CUSTOM_USER | HTTP Basic auth username, abc is default. | - | PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth | - | SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/` | - | TITLE | The page title displayed on the web browser, default "KasmVNC Client". | - | FM_HOME | This is the home directory (landing) for the file manager, default "/config". | - | START_DOCKER | If set to false a container with privilege will not automatically start the DinD Docker setup. | - | DRINODE | If mounting in /dev/dri for [DRI3 GPU Acceleration](https://www.kasmweb.com/kasmvnc/docs/master/gpu_acceleration.html) allows you to specify the device to use IE `/dev/dri/renderD128` | - - #### Optional run configurations - - | Variable | Description | - | :----: | --- | - | `--privileged` | Will start a Docker in Docker (DinD) setup inside the container to use docker in an isolated environment. For increased performance mount the Docker directory inside the container to the host IE `-v /home/user/docker-data:/var/lib/docker`. | - | `-v /var/run/docker.sock:/var/run/docker.sock` | Mount in the host level Docker socket to either interact with it via CLI or use Docker enabled applications. | - | `--device /dev/dri:/dev/dri` | Mount a GPU into the container, this can be used in conjunction with the `DRINODE` environment variable to leverage a host video card for GPU accelerated appplications. Only **Open Source** drivers are supported IE (Intel,AMDGPU,Radeon,ATI,Nouveau) | - - ### Lossless mode - - This container is capable of delivering a true lossless image at a high framerate to your web browser by changing the Stream Quality preset to "Lossless", more information [here](https://www.kasmweb.com/docs/latest/how_to/lossless.html#technical-background). In order to use this mode from a non localhost endpoint the HTTPS port on 3001 needs to be used. If using a reverse proxy to port 3000 specific headers will need to be set as outlined [here](https://github.com/linuxserver/docker-baseimage-kasmvnc#lossless). -# init diagram -init_diagram: | - "altus:latest": { - docker-mods - base { - fix-attr +\nlegacy cont-init - } - docker-mods -> base - legacy-services - custom services - init-services -> legacy-services - init-services -> custom services - custom services -> legacy-services - legacy-services -> ci-service-check - init-migrations -> init-adduser - init-kasmvnc-end -> init-config - init-os-end -> init-config - init-config -> init-config-end - init-crontab-config -> init-config-end - init-config -> init-crontab-config - init-mods-end -> init-custom-files - init-adduser -> init-device-perms - base -> init-envfile - init-os-end -> init-kasmvnc - init-nginx -> init-kasmvnc-config - init-video -> init-kasmvnc-end - base -> init-migrations - init-config-end -> init-mods - init-mods-package-install -> init-mods-end - init-mods -> init-mods-package-install - init-kasmvnc -> init-nginx - init-adduser -> init-os-end - init-device-perms -> init-os-end - init-envfile -> init-os-end - init-custom-files -> init-services - init-kasmvnc-config -> init-video - init-services -> svc-cron - svc-cron -> legacy-services - init-services -> svc-de - svc-nginx -> svc-de - svc-de -> legacy-services - init-services -> svc-docker - svc-de -> svc-docker - svc-docker -> legacy-services - init-services -> svc-kasmvnc - svc-pulseaudio -> svc-kasmvnc - svc-kasmvnc -> legacy-services - init-services -> svc-kclient - svc-kasmvnc -> svc-kclient - svc-kclient -> legacy-services - init-services -> svc-nginx - svc-kclient -> svc-nginx - svc-nginx -> legacy-services - init-services -> svc-pulseaudio - svc-pulseaudio -> legacy-services - } - Base Images: { - "baseimage-kasmvnc:debianbookworm" <- "baseimage-debian:bookworm" - } - "altus:latest" <- Base Images # changelog changelogs: + - {date: "12.07.25:", desc: "Rebase to Selkies, HTTPS IS NOW REQUIRED."} - {date: "19.10.24:", desc: "Switch to multi-arch."} - {date: "29.01.24:", desc: "Structural changes for v5."} - {date: "07.12.23:", desc: "Initial release."}