I had to install Skype for various reasons, but I didn't wanted to install an obfuscated malicious binary blob with network capabilities on my machine.
At first, I used qemu with Windows xp (yes, Skype runs on Windows xp), but since we're now in 2015, I though that I should give a try to docker, since (hopefully) Skype will never try to actively escape its container, it should be ok.
My main concern was the access to my filesystem and messing around with my processes, but thanks to cgroups, unless Skype has some 0-day, it won't be able to do any harm/spying.
But because we don't trust Skype, we'll make it run within AppArmor. I based my configuration on this one.
Despite the fact that I know that you can do funky stuff once you have access to Xorg, I chose to use X forwarding to access the GUI, because I'm too lazy to use a VNC, and once again, my thread model doesn't include Skype being actively malicious to other applications.
And here is the Dockerfile that I used:
# # Losely based on https://github.com/shofetim/docker-skype and https://github.com/tomparys/docker-skype-pulseaudio # FROM debian:stable MAINTAINER Julien (jvoisin) Voisin "firstname.lastname@example.org" # Skype is i386 only RUN dpkg --add-architecture i386 RUN apt-get update # We'll use ssh to access Skype with X-forwarding RUN apt-get install --no-install-recommends -y openssh-server wget # Create a docker:docker user RUN useradd -m -d /home/docker docker RUN echo "docker:docker" | chpasswd # Install Skype RUN wget http://download.skype.com/linux/skype-debian_126.96.36.199-1_i386.deb -O /usr/src/skype.deb RUN echo 'a820e641d1ee3fece3fdf206f384eb65e764d7b1ceff3bc5dee818beb319993c skype-debian_188.8.131.52-1_i386.deb' | sha256sum -c RUN dpkg -i /usr/src/skype.deb || true RUN apt-get install -fy RUN rm /usr/src/skype.deb # AppArmor, because we don't trust Skype RUN apt-get install -y --no-install-recommends apparmor-profiles RUN apt-get install -y --no-install-recommends apparmor-utils ADD usr.bin.skype /etc/apparmor.d/ RUN service apparmor reload # Enable X11Forwarding RUN echo X11Forwarding yes >> /etc/ssh/ssh_config RUN mkdir -p /var/run/sshd # Exposes the ssh port EXPOSE 22 # Start ssh services. CMD ["/usr/sbin/sshd", "-D"]
Throw this on a
Dockerfile, and run
$ docker build -t skype . $ docker run -d -p 55555:22 --name skype skype $ sh-copy-id docker-skype $ ssh docker-skype skype [...] # Configure your skype client $ docker commit skype skype_complete $ docker rm -f skype
You can now run Skype with
docker run -d -p 55555:22 --name skype_ skype_complete && sleep 1 && ssh docker-skype skype && docker rm -f skype_, within a container. Feel free to add this to your shell aliases.