Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Having trouble getting firejail to work in a Docker container #1956
We are having trouble getting firejail to work as expected in a Docker container.
We have Ubuntu 160.4 running in VirtualBox on a Windows host. Firejail works as expected in that environment. But if we run a Docker container in Ubuntu (using "docker run -ti bash"), with firejail installed in the container, we get: "Warning: an existing sandbox was detected. touch will run without any additional sandboxing features".
Based on some searching, we tried using the --force option, but there is no change. We continue to get the warning message, and firejail seems to have no effect.
Should firejail work within a Docker container? Are we missing something, or doing something wrong?
For example, using the fact that /usr is read-only within a firejail sandbox, here is what we get on our simple Ubuntu vm when we try to create a file in /usr/local/test without firejail, and again with firejail:
root@krutherford-VirtualBox:/usr/local/test# touch x.x
** Note: you can use --noprofile to disable server.profile **
Parent pid 4111, child pid 4113
Parent is shutting down, bye...
Doing the same thing in our Docker container, with and without the --force option:
[root@5e1f26ef0bb2 gsf23]# cd /usr/local/test
Some version information from the Docker container:
[root@5e1f26ef0bb2 test]# firejail --version
My desktop environment runs in an nspawn container; I've just started looking at firejail using 0.9.38 (in ubuntu 16.04) .. it seems to run quite happily - and work - with