Title: Running Skype in docker
Date: 2015-01-25 13:00

I had to install [Skype]( https://skype.com ) for various *reasons*,
but I didn't wanted to install an [obfuscated]( http://www.oklabs.net/skype-reverse-engineering-the-long-journey/ )
[malicious]( https://linux.slashdot.org/story/07/08/26/1312256/skype-linux-reads-password-and-firefox-profile)
binary blob with network capabilities on my machine.

At first, I used [qemu]( http://www.qemu.org ) with Windows xp (yes, Skype runs on Windows xp),
but since we're now in 2015, I though that I should give a try to [docker]( https://docker.io ),
since (hopefully) Skype will never try to actively escape its container, it should be ok.

My main concern was the access to my filesystem and messing around with my processes,
but thanks to *cgroups*, unless Skype has some 0-day, it won't be able to do any harm/spying.

But because we don't trust Skype, we'll make it run within [AppArmor]( http://apparmor.net ).
I based my configuration on [this]( https://github.com/Lekensteyn/aur/blob/master/apparmor/usr.bin.skype) one.

Despite the fact that I know that you can do funky stuff once you have access to Xorg,
I chose to use X forwarding to access the GUI, because I'm too lazy to use a VNC, and once again,
my thread model doesn't include Skype being actively malicious to other applications.

And here is the Dockerfile that I used:

```bash
#
# Losely based on https://github.com/shofetim/docker-skype and https://github.com/tomparys/docker-skype-pulseaudio
#

FROM debian:stable
MAINTAINER Julien (jvoisin) Voisin "julien.voisin@dustri.org"

# Skype is i386 only
RUN dpkg --add-architecture i386
RUN apt-get update

# We'll use ssh to access Skype with X-forwarding
RUN apt-get install --no-install-recommends -y openssh-server wget

# Create a docker:docker user
RUN useradd -m -d /home/docker docker
RUN echo "docker:docker" | chpasswd

# Install Skype
RUN wget http://download.skype.com/linux/skype-debian_4.3.0.37-1_i386.deb -O /usr/src/skype.deb
RUN echo 'a820e641d1ee3fece3fdf206f384eb65e764d7b1ceff3bc5dee818beb319993c  /usr/src/skype.deb' | sha256sum -c
RUN dpkg -i /usr/src/skype.deb || true
RUN apt-get install -fy
RUN rm /usr/src/skype.deb

# AppArmor, because we don't trust Skype
RUN apt-get install -y --no-install-recommends apparmor-profiles apparmor-utils
ADD usr.bin.skype /etc/apparmor.d/
RUN service apparmor reload

# Enable X11Forwarding
RUN echo X11Forwarding yes >> /etc/ssh/ssh_config
RUN mkdir -p /var/run/sshd

# Exposes the ssh port
EXPOSE 22

# Start ssh services.
CMD ["/usr/sbin/sshd", "-D"]
```

Throw this on a `Dockerfile`, and run

```bash
$ docker build -t skype .
$ docker run -d -p 55555:22 --name skype skype
$ sh-copy-id docker-skype
$ ssh docker-skype skype
[...]  # Configure your skype client
$ docker commit skype skype_complete
$ docker rm -f skype
```

You can now run Skype with `docker run -d -p 55555:22 --name skype_ skype_complete && sleep 1 && ssh docker-skype skype && docker rm -f skype_`, within a container. Feel free to add this to your shell aliases.