This is a kind of corner use-case, but it might be useful to someone.
Here's how you get Yubikey U2F working in docker container, e.g. if you sandboxed Chrome browser in a docker container (link for Dockerfile below).
Yubikey accesses the hardware via USB, but it took me a few hours to figure out the exact device nodes to whitelist.
1. insert Yubikey before starting docker container
2. notice which /dev/hidraw device it is, let's say it's /dev/hidraw4 (unfortunately this changes and udev rules can only create symlinks, not hardlinks), easiest way to find out is to insert and remove while watching which device node appears (look at "udevadm info --query=all --name=/dev/hidraw4 --attribute-walk" for details)
3. run the docker run script below which lists devices to map over host-container boundary in the -v flags
Code:
#!/bin/bash
docker run -ti --rm \
-v /dev/bus/usb:/dev/bus/usb \
-v /sys/bus/usb/:/sys/bus/usb/ \
-v /sys/devices/:/sys/devices/ \
-v /dev/hidraw4:/dev/hidraw4 \
--privileged \
name_of_docker_image \
name_of_command_to_run_inside_image --some-parameters
If you want to build the docker for Chrome, here's the
Dockerfile and full
bash run script. Substitute your uid and gid first (it must match so that X server can communicate over X socket). Substitute your pulseaudio socket in Dockerfile as well (you can find it via "lsof -p $(pidof pulseaudio) | grep 'unix.*/native'").
Security notice: the browser has still full access to your X server if you use access via X socket in the linked bash script. Also --privileged flag gives access to devices, so this approach just removes some attack vectors.
Edit: works on Ubuntu 14.04 LTS, breaks on Scientific Linux 6.7/Centos 6.7 due to --privileged flag
Login
FAQ
Search
