Running 1Password GUI on Alpine Linux with Docker

boxspring
boxspring
Community Member

Hello all, I was finally able to get 1Password GUI running on Alpine Linux.

Unfortunately the 1Password binary ships as a dynamically linked executable, and there are too many glibc-linked shared libraries to be able to run it on Alpine even with the glibc compatibility layer installed. Getting it running as a collection of binaries or as a chroot application - while not impossible - will be quite time-consuming.

As a compromise, I was able to build a Docker container from Ubuntu 18.04, and from there figured out the right incantation to get the app to run on my local desktop.

The current problem is that so far I can only get everything to work if I use --privileged and --network=host mode for Docker. Otherwise it complains that it can't authenticate to my X server, even if I allow all connections with xhost +. I mean... it's working, that's not nothing. But it would be nice if I could not rely on whatever weird host-level networking is going on here. Also, if -v /tmp:/tmp isn't passed, Clipboard does not work. (Developers? Any ideas?)

Anyway!

First, copy the following to a file called Dockerfile.

FROM ubuntu:18.04 as build-stg1

ENV CHANNEL="stable"
ENV ONEPASSWORD_KEY_URL="https://downloads.1password.com/linux/keys/1password.asc"
ENV GROUP_NAME="onepassword"
ENV HELPER_PATH="./1Password-KeyringHelper"
ENV BROWSER_SUPPORT_PATH="./1Password-BrowserSupport"

ENV DEBIAN_FRONTEND=noninteractive

RUN set -e; \
  apt-get update && apt-get install -y --no-install-recommends \
    curl gpg ca-certificates libx11-xcb1 ; \
  curl -sS "$ONEPASSWORD_KEY_URL" | gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg ; \
  echo "deb [arch=amd64 signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/amd64 ${CHANNEL} main" > /etc/apt/sources.list.d/1password.list ; \
  mkdir -p /etc/debsig/policies/AC2D62742012EA22/ ; \
  curl -sSo /etc/debsig/policies/AC2D62742012EA22/1password.pol https://downloads.1password.com/linux/debian/debsig/1password.pol ; \
  mkdir -p /usr/share/debsig/keyrings/AC2D62742012EA22/ ; \
  rm -f /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg ; \
  curl -sS "$ONEPASSWORD_KEY_URL" | gpg --dearmor --output /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg ; \
  apt-get update && apt-get install -y 1password ; \
  cd /opt/1Password/ ; \
  install -Dm0644 ./com.1password.1Password.policy -t /usr/share/polkit-1/actions/ ; \
  install -Dm0644 ./resources/custom_allowed_browsers -t /usr/share/doc/1password/examples/ ; \
  chmod 4755 ./chrome-sandbox ; \
  if [ ! "$(getent group "${GROUP_NAME}")" ]; then \
    groupadd "${GROUP_NAME}" ; \
  fi ; \ 
  chgrp "${GROUP_NAME}" $HELPER_PATH ; \
  chmod u+s $HELPER_PATH ; \
  chmod g+s $HELPER_PATH ; \
  chgrp "${GROUP_NAME}" $BROWSER_SUPPORT_PATH ; \
  chmod g+s $BROWSER_SUPPORT_PATH ; \
  ln -sf /opt/1Password/1password /usr/bin/1password ; \
  rm -rf /var/lib/apt/lists/*

RUN apt update && apt install -y --no-install-recommends openssh-server xauth && rm -rf /var/lib/apt/lists/*
RUN sed -i -e 's/^#AddressFamily.*/AddressFamily inet/g' /etc/ssh/sshd_config ; mkdir -p /run/sshd

Next, run the following command:

docker build -t my-1password:latest - < Dockerfile

Finally, copy the following 2 lines into a new file called "1password":

#!/bin/sh
docker run --privileged --network=host --rm -it -v /tmp:/tmp -v /etc/passwd:/etc/passwd:ro -v /etc/shadow:/etc/shadow:ro -v /etc/group:/etc/group:ro -v $HOME:$HOME -e DISPLAY -u `id -u`:`id -g` my-1password 1password --disable-gpu --log debug

Run:

chmod +x 1password

And that should be it! Now just run ./1password and you should see a ton of error messages, but eventually 1Password should pop up on your screen.

You can also install more X apps in that container and run them through Docker. But they'll be pretty slow!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Alpine Linux 3.15.0

Comments

  • boxspring
    boxspring
    Community Member

    (incidentally, developers: 1Password wouldn't work at all without the package libx11-xcb1 installed, and it wasn't pulled in by the 1Password apt repo, so you might want to add that dependency. maybe it's an Ubuntu-ism?)

  • I'm happy to see you try and use 1Password in your favourite setup. As you have discovered, running in docker is is not something we have extensively tested. I'd like to better understand your motivation for running the app this way, would you mind giving me some insight about that? If you are concerned about isolation, there is the snap store option available that receives more testing: https://support.1password.com/install-linux/#snap-store. We have put some work into improving how the snap distribution behaves with isolation but some of that might not yet be in the stable channel.

  • boxspring
    boxspring
    Community Member

    So, my primary motivation was that I didn't know you could use the browser extension without the desktop app. I thought the extension called the app. Does it talk about that in the docs? Because I didn't know about that until I happened to use the extension by accident after I'd gotten the desktop app working.

    I also would like to figure out how I can make 1password the backing store for my desktop keychain, and I figured having the app installed would be good for managing credentials if I can ever figure that out.

    it seems that snapd isn't packaged for Alpine because it depends on systemd. Flatpaks, however, work beautifully in Alpine.

  • Hi, @boxspring .

    Technically, the browser extension does talk to the desktop application, but only if it detects the desktop application present and only if you've enabled Browser Integration in the desktop application. Otherwise, it is a fully functional application on its own, and actually predates the Linux desktop application by quite a few years. It's how I started using 1Password for my personal life, before I even knew that a Linux application was in the works.

    A flatpak distribution is available, though it isn't yet listed on our installer page. I'm working with our documentation writers to get those instructions posted there, instead of just having them floating around here in the forum. However, if you want it, this is how to install it:

    flatpak install https://downloads.1password.com/linux/flatpak/1Password.flatpakref

    or

    flatpak install https://downloads.1password.com/linux/flatpak/1Password-beta.flatpakref

    Now, I'm really interested in what kind of backing store you are thinking of. We haven't done much in that direction, but I've also thought about what it would mean to use 1Password instead of the desktop keyring. We have some things in the works and are going to be very interested in additional ideas.

This discussion has been closed.