08 · DevOps & Infrastructure← All projects

Containerised Virtual Browser

A Docker-based isolated browser environment exposing Chromium via noVNC — for secure browsing, sandboxed automation, and screenshot capture without touching the host.

GitHub repository ↗5 tools · 4 measured outcomes

Problem

Running browser automation or untrusted web sessions on a host machine is a security risk. This project provides an isolated browser: spin it up, use it, discard it — with no access to the host filesystem or network.

Approach

01
Built a Docker image with Chromium, a virtual display (Xvfb), and a noVNC server for remote access.
02
Configured the container to run as a non-root user with a read-only root filesystem.
03
Restricted network access using Docker network policies — container gets its own isolated network.
04
Exposed the noVNC port (6080) for browser-based remote access with no VNC client required.
05
Added a cleanup entrypoint to kill lingering browser processes on container exit.
06
Validated isolation: host filesystem is not accessible from within the container.

Results

Host filesystem access: None (isolated)
Remote access method: noVNC (port 6080)
Run as root: No
Container startup time: < 8 seconds

Code

Dockerfile building an isolated Chromium environment with noVNC remote access.

FROM debian:bookworm-slim

RUN apt-get update && apt-get install -y \
    chromium xvfb x11vnc novnc \
    --no-install-recommends && \
    rm -rf /var/lib/apt/lists/*

RUN useradd -m -u 1000 browser
USER browser

ENV DISPLAY=:99

COPY entrypoint.sh /entrypoint.sh
EXPOSE 6080

ENTRYPOINT ["/entrypoint.sh"]

Stack

Docker
Chromium
Xvfb
noVNC
Bash

Why it matters

— Non-root execution and read-only root filesystem reduce attack surface.
— noVNC means no VNC client needed — accessible from any browser.
— Useful for secure web scraping, automated screenshot capture, and sandboxed research.