/aind

AinD: Android in Docker. Ain't an emulator.

Primary LanguageShellApache License 2.0Apache-2.0

⚠️ Deprecated in favor of ReDroid

As of April 2021, AinD is deprecated in favor of ReDroid.

While Anbox/AinD has got stuck in Android 7.1, ReDroid supports very recent Android versions: 8.1, 9, 10, 11, and Android S (12).


AinD: Android (Anbox) in Docker

AinD launches Android apps in Docker, by nesting Anbox containers inside Docker.

Unlike VM-based similar projects, AinD can be executed on IaaS instances without support for nested virtualization.

GHCR: ghcr.io/aind-containers/aind

⚠️ Docker Hub image aind/aind is no longer updated. Please use ghcr.io/aind-containers/aind image on GHCR.

Purposes

  • Anti-theft (see FAQ)
  • Android compatibility (via cloud) for iOS and Windows tablets

Non-goals

  • Cloud gaming

Screenshots

$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
950e3fa7d320        aind                "/docker-entrypoint.…"   7 minutes ago       Up 7 minutes        0.0.0.0:5900->5900/tcp   aind
$ docker exec aind ps -ef | tail -n 20
101023       323     138  0 11:18 pts/2    00:00:00 /system/bin/sdcard -u 1023 -g 1023 -m -w /data/media emulated
110020       347     154  0 11:18 pts/2    00:00:00 com.android.systemui
101001       397     154  0 11:18 pts/2    00:00:00 com.android.phone
user         403     154  0 11:18 pts/2    00:00:00 com.android.settings:CryptKeeper
user         448     154  0 11:18 pts/2    00:00:00 com.android.settings
110009       531     154  0 11:18 pts/2    00:00:00 android.ext.services
110032       546     154  0 11:18 pts/2    00:00:00 com.android.deskclock
110015       577     154  0 11:18 pts/2    00:00:00 com.android.provision
110047       583     154  0 11:18 pts/2    00:00:00 com.android.smspush
110000       615     154  0 11:18 pts/2    00:00:00 org.anbox.appmgr
110011       642     154  0 11:18 pts/2    00:00:00 com.android.managedprovisioning
110008       657     154  0 11:18 pts/2    00:00:00 android.process.media
110003       675     154  0 11:18 pts/2    00:00:00 com.android.providers.calendar
110002       694     154  0 11:18 pts/2    00:00:00 android.process.acore
110027       744     154  0 11:18 pts/2    00:00:00 com.android.calendar
110028       765     154  0 11:18 pts/2    00:00:00 com.android.camera2
110034       784     154  0 11:18 pts/2    00:00:00 com.android.email
110037       807     154  0 11:18 pts/2    00:00:00 com.android.gallery3d
110013       822     154  0 11:18 pts/2    00:00:00 com.android.onetimeinitializer
root        1003       0  0 11:25 ?        00:00:00 ps -ef

docs/screenshot.png

Quick start

Tested on Ubuntu 19.10 (Kernel 5.3). May not work on other distros. If modprobe ashmem_linux or modprobe binder_linux fails, see https://github.com/anbox/anbox-modules .

sudo modprobe ashmem_linux
sudo modprobe binder_linux

Docker

VNC

docker run -td --name aind --privileged -p 5900:5900 -v /lib/modules:/lib/modules:ro ghcr.io/aind-containers/aind
docker exec aind cat /home/user/.vnc/passwdfile

NOTE: --privileged is required for nesting an Anbox (LXC) inside Docker. But you don't need to worry too much because Anbox launches "unprivileged" LXC using user namespaces. You can confirm that all Android processes are running as non-root users, by executing docker exec aind ps -ef.

Wait for 10-20 seconds until Android processes are shown up in docker exec aind ps -ef, and then connect to 5900 via vncviewer. The VNC password is stored in /home/user/.vnc/passwdfile. The password file can be also overridden by docker run -v /your/own/passwdfile:/home/user/.vnc/passwdfile:ro .

If the application manager doesn't shown up on the VNC screen, try docker run ... several times (FIXME). Also make sure to check docker logs aind.

Web mode (noVNC)

To run the container with noVNC support, the environment variable WEBMODE can be set with the following command:

docker run -td --name aind --privileged -p 8080:8080 -e "WEBMODE=1" -v /lib/modules:/lib/modules:ro ghcr.io/aind-containers/aind
docker exec aind cat /home/user/.vnc/passwdfile

The container will be accessible via the browser at http://localhost:8080/vnc.html

Docker Compose

To bring the container up simply run

docker-compose up -d

the vnc password can be gotten with

docker-compose exec aind cat /home/user/.vnc/passwdfile

you can check how far it is with

docker-compose exec aind ps -ef

Kubernetes

kubectl apply -f kube/aind.yaml
kubectl port-forward service/aind 5900

The manifest contains the kernel module installer as initContainers.

The manifest is known to work on:

  • Google Kubernetes Engine (GKE) 1.16.8-gke.8 (ubuntu) [Apr 14, 2020]
    • Kubernetes 1.16.8, Ubuntu 18.04.4, Kernel 5.3.0-1012-gke, Docker 19.03.2
    • n2-standard-8
  • Google Kubernetes Engine (GKE) 1.16.8-gke.8 (ubuntu_containerd) [Apr 14, 2020]
    • Kubernetes 1.16.8, Ubuntu 18.04.4, Kernel 5.3.0-1012-gke, containerd 1.2.10
    • n2-standard-8
  • Azure Kubernetes Service (AKS) 1.17.3 [Apr 14, 2020]
    • Kubernetes 1.17.3, Ubuntu 16.04.6, Kernel 4.15.0-1071-azure, MS-Moby 3.0.10+azure
    • Standard DS2 v2
  • kind 0.7.0 [Apr 14, 2020]
    • Kubernetes 1.17.0, Ubuntu 19.10, Kernel 5.3.0-46-generic, containerd 1.3.2
    • NOTE: Requires docker exec kind-control-plane mount -o remount,rw /sys

Tips

Troubleshooting

  • docker logs aind
  • docker exec -it aind systemctl status anbox-container-manager
  • docker exec -it aind ps -ef
  • docker exec -it aind cat /var/lib/anbox/logs/console.log

adb

docker exec -it aind adb shell

To run adb on the host:

socat TCP-LISTEN:5037,reuseaddr,fork 'EXEC:docker exec -i aind  "socat STDIO TCP-CONNECT:localhost:5037"' &
adb connect localhost:5037
adb shell

Apps

Pre-installed Apps

  • Firefox
  • F-Droid
  • Misc accessories like Clock and Calculator

Installing apk packages

APK files mounted as /apk.d/*.apk are automatically installed on start up.

You can also use F-Droid. To use F-Droid, enable "Settings" -> "Security" -> "Allow installation of apps from unknown sources".

FAQ

Isn't encrypting the phone with strong passcode enough for anti-theft? Why do we need aind?

People in the real world are likely to set weak passcode like "1234" (or finger pattern), because they want to open email/phone/twitter/maps/payment apps in just a few seconds.

aind is expected to be used in conjunction with encryption of the client device, and to be used only for sensitive apps, with a passcode that is stronger than the passcode of the client device itself.

TODOs

  • Map different UID range per containers
  • Better touch screen experience
  • Redirect camera, notifications, ...

Similar projects

License

Binary image