Having trouble getting firejail to work in a Docker container #1956
Labels
question_old
(Deprecated; use "needinfo" or "question" instead) Further information is requested
Comments
|
Docker and firejail use similar features like namespaces, seccomp, capabilities. This means firejail is unable to create its own sandbox when run inside docker. |
|
Thanks for the explanation. We had found this thread: #189 and apparently misunderstood the use/purpose of "--force". |
|
|
Vincent43
added
the
question_old
My desktop environment runs in an nspawn container; I've just started looking at firejail using 0.9.38 (in ubuntu 16.04) .. it seems to run quite happily - and work - with |
joelpet
added a commit
to joelpet/ab-svenska-pass-in-firejail
that referenced
this issue
Jan 1, 2020
maltfield
added a commit
to BusKill/buskill-app
that referenced
this issue
Jul 9, 2020
apparently I misunderstood the --force flag for `firejail` and--in fact--firejail can't run inside a docker container * netblue30/firejail#1956 The alternative way to make a single command-line execution not have internet access would be to setup a firewall with a rule to block traffic for a given user/group, then run that command as that uid/pid. But that's just too damn much work, and I keep hitting these issues with Docker, so for now I'm just going back to Ubuntu without Docker
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We are having trouble getting firejail to work as expected in a Docker container.
We have Ubuntu 160.4 running in VirtualBox on a Windows host. Firejail works as expected in that environment. But if we run a Docker container in Ubuntu (using "docker run -ti![]()
bash"), with firejail installed in the container, we get: "Warning: an existing sandbox was detected. touch will run without any additional sandboxing features".
Based on some searching, we tried using the --force option, but there is no change. We continue to get the warning message, and firejail seems to have no effect.
Should firejail work within a Docker container? Are we missing something, or doing something wrong?
For example, using the fact that /usr is read-only within a firejail sandbox, here is what we get on our simple Ubuntu vm when we try to create a file in /usr/local/test without firejail, and again with firejail:
root@krutherford-VirtualBox:/usr/local/test# touch x.x
root@krutherford-VirtualBox:/usr/local/test# ls
x.x
root@krutherford-VirtualBox:/usr/local/test# rm x.x
root@krutherford-VirtualBox:/usr/local/test# firejail touch x.x
Reading profile /etc/firejail/server.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
** Note: you can use --noprofile to disable server.profile **
Parent pid 4111, child pid 4113
The new log directory is /proc/4113/root/var/log
Child process initialized in 38.43 ms
touch: cannot touch 'x.x': Read-only file system
Parent is shutting down, bye...
Doing the same thing in our Docker container, with and without the --force option:
[root@5e1f26ef0bb2 gsf23]# cd /usr/local/test
[root@5e1f26ef0bb2 test]# touch x.x
[root@5e1f26ef0bb2 test]# ls
x.x
[root@5e1f26ef0bb2 test]# rm x.x
rm: remove regular empty file ‘x.x’? y
[root@5e1f26ef0bb2 test]# firejail touch x.x
Warning: an existing sandbox was detected. touch will run without any additional sandboxing features
[root@5e1f26ef0bb2 test]# ls
x.x
[root@5e1f26ef0bb2 test]# rm x.x
rm: remove regular empty file ‘x.x’? y
[root@5e1f26ef0bb2 test]# firejail --force touch x.x
Warning: an existing sandbox was detected. touch will run without any additional sandboxing features
[root@5e1f26ef0bb2 test]# ls
x.x
Some version information from the Docker container:
[root@5e1f26ef0bb2 test]# firejail --version
firejail version 0.9.54
[root@5e1f26ef0bb2 test]# uname -a
Linux 5e1f26ef0bb2 4.13.0-43-generic #48~16.04.1-Ubuntu SMP Thu May 17 12:56:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@5e1f26ef0bb2 test]#
The text was updated successfully, but these errors were encountered: