Using Docker in a Kasm Desktop

Developers may wish to run Docker inside a Kasm Desktop, allowing them to use the disposable container to run and develop Docker containers from their browser.

Choosing Rootless or Root Docker Workspaces

There are two options for running Docker in Kasm.

Rootless

The recommended, more secure method is to use rootless Docker image: https://hub.docker.com/r/kasmweb/ubuntu-focal-dind-rootless or https://hub.docker.com/r/kasmweb/ubuntu-jammy-dind-rootless. The Docker Daemon does not run as root, which mitigates the impact of using --privileged.

However, the rootless container prevents users from exposing ports with a number lower than 1024 and is also limited to the vfs storage driver regardless of what the underlying host supports leading to some IO overhead and lower performance vs Root.

Root

Running the daemon as root in the Kasm Workspace is insecure, and is only recommended for development deployments. However it removes some of the limitations of the rootless Workspace. It can be found on dockerhub: https://hub.docker.com/r/kasmweb/ubuntu-focal-dind or https://hub.docker.com/r/kasmweb/ubuntu-jammy-dind

Important

Use of Docker inside of a Kasm Desktop requires the Desktop to be launched with “Privileged” permissions, running the daemon as root makes it trivial for a user to run commands as root on the host machine.

Workspace Configuration

  • Log into your Kasm Workspaces deployment as an administrator and navigate to Workspaces -> Workspaces and click “Add Workspace”

  • Configure the Workspace with the following settings:

Workspace Settings

Field

Value

Docker Image

kasmweb/ubuntu-focal-dind:|release| or kasmweb/ubuntu-focal-dind-rootless:|release| or kasmweb/ubuntu-jammy-dind:|release| or kasmweb/ubuntu-jammy-dind-rootless:|release|

Description

Docker in a Kasm Desktop

Friendly Name

Docker

Cores

1

Memory

1768

Enabled

True

Docker Registry

https://index.docker.io/v1/

Docker Run Config

{"privileged":true}

  • Once the Workspace is created you can launch it by clicking on the “Docker” Workspace from the User Dashboard.

Storage and performance

When running Docker in Docker the default storage driver will be fuse-overlayfs if the storage for the isolated Docker daemon is contained within a Docker volume. To leverage host supported filesystem drivers like overlay2 you can mount the Docker storage directory to the host filesystem:

Image Type

Docker Storage Path

Rootless

/home/kasm-user/.local/share/docker

Root

/var/lib/docker

Note

If leveraging Persistent Profiles with a Rootless image this will happen automatically as the home directory for the user will be mounted out of the ephemeral container volume

You can check what storage driver the container is running with:

docker system info | grep "Storage Driver"