dangerzone as a docker on the server?

[r-gorajski]

Is it possible to run dangerzone as a container on an existing Ubuntu/Docker server?

I work in an organization with many users, and I want to give them a simple and fast tool to:

• PDF security verification
• anonymize PDF documents

I can't implement dangerzone as a Docker Desktop because it's not free for users other than individuals.

Therefore, I thought to run a new container with dangerzone on the Docker server I have, so that it is visible as an intranet site www.xyz:8080

The user, upon accessing the site, would upload a PDF file, check the threat, and be able to anonymize the PDF file.

Is this even possible?

I understand the idea of Docker Desktop and cutting off the network. But as I mentioned above I can't use Docker Desktop :(

Thank you in advance for your help.

[apyrgio]

Sorry for the delayed response, there are lots of stuff to unpack here, and the question is actually very exciting!

Is it possible to run dangerzone as a container on an existing Ubuntu/Docker server?

Yes! We already do this for our CI tests. If you are comfortable with the concept of nested containers, you can take a look at our env.py script, which runs Dangerzone within a container. Still, I'm not sure if that's the way to go forward. More on that below.

Therefore, I thought to run a new container with dangerzone on the Docker server I have, so that it is visible as an intranet site www.xyz:8080

The issue with Dangerzone is that it's a desktop app, not a web one. So, there is no network service that you can expose and send documents to it. We have an open issue for that actually: #110

I can't implement dangerzone as a Docker Desktop because it's not free for users other than individuals.

If you have licensing concerns, and you have predominantly macOS users, you can take a look at Colima. Your users can install Dangezone and Colima at their machine, and the conversions should work.

[luckman212]

@apyrgio I had the same question as @r-gorajski basically. Wanting to be able to run Dangerzone without the requirement of a full blown local Docker Desktop install.

My testbed is an M1 Mac Mini running macOS 15.0.1, with colima 0.7.5 installed via Homebrew and started as a service with brew services start colima.

But Dangerzone (0.7.1) still says I need Docker Desktop. Am I doing something wrong here? Thanks 🙏

Some info...

$ colima --version
colima version 0.7.5

$ brew services info colima --json

[
  {
    "name": "colima",
    "service_name": "homebrew.mxcl.colima",
    "running": true,
    "loaded": true,
    "schedulable": false,
    "pid": 22657,
    "exit_code": 0,
    "user": "luke",
    "status": "started",
    "file": "/Users/luke/Library/LaunchAgents/homebrew.mxcl.colima.plist",
    "command": "/opt/homebrew/opt/colima/bin/colima start -f",
    "working_dir": "/Users/luke",
    "root_dir": null,
    "log_path": "/opt/homebrew/var/log/colima.log",
    "error_log_path": "/opt/homebrew/var/log/colima.log",
    "interval": null,
    "cron": null
  }
]

[luckman212]

Dig more digging... @r-gorajski

I cloned the repo and ripgrep'd through it looking for any evidence of 'colima' — nothing. I found in the code this function to get the platform docker runtime...

dangerzone/dangerzone/isolation_provider/container.py

Lines 42 to 48 in a001b54

	def get_runtime_name() -> str:
	if platform.system() == "Linux":
	runtime_name = "podman"
	else:
	# Windows, Darwin, and unknown use docker for now, dangerzone-vm eventually
	runtime_name = "docker"
	return runtime_name

on macOS it would be 'docker'. Even though I do have docker installed (via Homebrew) it isn't detected, because I guess Dangerzone doesn't add /opt/homebrew/bin/ to its $PATH. I tried symlinking my Homebrew docker bin to /usr/local/bin via ln -s /opt/homebrew/bin/docker /usr/local/bin...which I assumed is in the PATH and voila, now it does detect it, although it isn't happy about the setup...

@apyrgio any idea where to go next with this?

[luckman212]

Oh wow! I just needed to wait a little longer for colima engine to start up apparently.

It's up and running now! 🚀 (without Docker Desktop)

[luckman212]

Well, now I've gotten stuck. Tried to test the sample_bad_max_height.pdf file from this repo's test dir, and got the error below...

[luckman212]

Thanks @EtiennePerot I read through it. No solution but I subscribed and will keep a lookout for a working setup.

[almet]

Yep, colima is not a supported platform as we speak, unfortunately. You can follow the progress on #865 👍

I'm curious about your reasons for not using Docker Desktop, and if Podman Desktop could be an option for you (as a replacement for colima?). Note that it isn't more supported at the moment, but it's not far away (see #925)

[luckman212]

@almet main reasons:

• Prefer non-closed-source tooling, license terms
• Easier to install and maintain via Homebrew
• Perf: I have heard (not sure if it's still true as of the latest releases) that Colima/Podman's use of Rosetta2 for x64 emulation has better performance

[almet]

Interesting, thanks! It seems that Podman Desktop would fit your requirements as well 👍

[apyrgio]

Some very quick observations I wanted to make:

• We offer native container images for Apple Silicon machines, so thankfully you don't need Rosetta. That was the case in the early days of Dangerzone.
• Good thing you subscribed to Dangerzone not compatible with colima? #865, we hope we'll have something new there soon. In the meantime, note that the file you selected from the repo (sample-bad-max-height.pdf) is bound to fail. Using sample-pdf.pdf is a better choice. Not that it would change something now, since Dangerzone still does not work with Colima.

[EphemeralDev]

I don't know how it compares (if at all) but Stirling PDF has a sanitize-pdf feature that appears to be powered by apache pdfbox. Stirling PDF has a docker container but its more of a general tool/collection of tools so is likely a lot larger than dangerzone.