[GH-ISSUE #1611] version 50.1 and 50.3(artful deb) won't connect to internet in Ubuntu 17.10

gitea-mirror commented

2026-05-05 07:25:28 -06:00

Owner

Originally created by @l4r1k4 on GitHub (Oct 21, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1611

Tried to install firejail current version 50.1 and the artuful package(50.3) with firejail profiles.

Cannot connect to internet.

Using LTS version works fine in Ubuntu 17.10

Originally created by @l4r1k4 on GitHub (Oct 21, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1611 Tried to install firejail current version 50.1 and the artuful package(50.3) with firejail profiles. Cannot connect to internet. Using LTS version works fine in Ubuntu 17.10

gitea-mirror

2026-05-05 07:25:28 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 07:25:33 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Oct 21, 2017):

G'day @matteotanca
How did you install these packages? Did they come from the Ubuntu repository or did you download the firejail packages from SourceForge?
If from Ubuntu repos, did you install both firejail and firejail-profiles?

What happens if you run firejail --noprofile ping -c 10 8.8.8.8?

@Fred-Barclay commented on GitHub (Oct 21, 2017): G'day @matteotanca How did you install these packages? Did they come from the Ubuntu repository or did you download the firejail packages from SourceForge? If from Ubuntu repos, did you install both `firejail` and `firejail-profiles`? What happens if you run `firejail --noprofile ping -c 10 8.8.8.8`?

gitea-mirror commented

2026-05-05 07:25:34 -06:00

Author

Owner

@l4r1k4 commented on GitHub (Oct 22, 2017):

G'day @Fred-Barclay,

with the --noprofile option I'm able to ping and to surf. So I guess there's something wrong with Ubuntu 17.10 50.3 firejail profiles.

Thanks!

@l4r1k4 commented on GitHub (Oct 22, 2017): G'day @Fred-Barclay, with the --noprofile option I'm able to ping and to surf. So I guess there's something wrong with Ubuntu 17.10 50.3 firejail profiles. Thanks!

gitea-mirror commented

2026-05-05 07:25:36 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Oct 22, 2017):

@matteotanca Please note, using --noprofile disables nearly all sandboxing features providing very little security benefit.

@SkewedZeppelin commented on GitHub (Oct 22, 2017): @matteotanca Please note, using `--noprofile` disables nearly all sandboxing features providing very little security benefit.

gitea-mirror commented

2026-05-05 07:25:39 -06:00

Author

Owner

@l4r1k4 commented on GitHub (Oct 22, 2017):

@SpotComms thanks, I knew, waiting a fix.

Thanks!!

@l4r1k4 commented on GitHub (Oct 22, 2017): @SpotComms thanks, I knew, waiting a fix. Thanks!!

gitea-mirror commented

2026-05-05 07:25:40 -06:00

Author

Owner

@reinerh commented on GitHub (Oct 22, 2017):

Please tell a bit more about the problem.
Which application has no internet access? Does not even firejail wget debian.org work?
If so, please post the complete terminal output.

@reinerh commented on GitHub (Oct 22, 2017): Please tell a bit more about the problem. Which application has no internet access? Does not even `firejail wget debian.org` work? If so, please post the complete terminal output.

gitea-mirror commented

2026-05-05 07:25:41 -06:00

Author

Owner

@l4r1k4 commented on GitHub (Oct 22, 2017):

matteo@matteo-ThinkPad-W540:$ firejail wget debian.org
--2017-10-22 12:38:03-- http://debian.org/
Risoluzione di debian.org (debian.org)... non riuscito: Nome o servizio sconosciuto.
wget: impossibile risolvere l'indirizzo dell'host "debian.org"
matteo@matteo-ThinkPad-W540:$ firejail ping www.google.it
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 30627, child pid 30628
Child process initialized in 49.89 ms
ping: socket: Operazione non permessa

Parent is shutting down, bye...
matteo@matteo-ThinkPad-W540:~$ firejail telnet www.google.it
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 30679, child pid 30689
Child process initialized in 35.99 ms
telnet: could not resolve www.google.it/telnet: Name or service not known

Parent is shutting down, bye...
matteo@matteo-ThinkPad-W540:~$ firejail firefox www.google.it
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 30782, child pid 30783
Blacklist violations are logged to syslog
Child process initialized in 60.23 ms
1508668761448 FirefoxAccounts ERROR Background refresh of profile failed: {"name":"FxAccountsProfileClientError","code":null,"errno":998,"error":"NETWORK_ERROR","message":"[Exception... "NS_ERROR_UNKNOWN_HOST" nsresult: "0x804b001e (NS_ERROR_UNKNOWN_HOST)" location: "JS frame :: resource://services-common/rest.js :: onStopRequest :: line 483" data: no]"}
[Parent 5] WARNING: pipe error (46): Connessione interrotta dal corrispondente: file /build/firefox-9cfKiA/firefox-56.0+build6/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
/usr/share/themes/Radiance/gtk-2.0/apps/mate-panel.rc:30: error: invalid string constant "murrine-scrollbar", expected valid string constant
[Parent 5] WARNING: pipe error (58): Connessione interrotta dal corrispondente: file /build/firefox-9cfKiA/firefox-56.0+build6/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
*** UTM:SVC TimerManager:registerTimer called after profile-before-change notification. Ignoring timer registration for id: telemetry_modules_ping

Parent is shutting down, bye...

I install the version 50.1 but when i upgrade Ubuntu 17.10 installs version 50.3 with profiles 50.3

matteo@matteo-ThinkPad-W540:~$ apt search firejail
Ordinamento... Fatto
Ricerca sul testo... Fatto
firejail/artful,now 0.9.50-3 amd64 [installato]
sandbox per restringere l'ambiente dell'applicazione

firejail-profiles/artful,artful,now 0.9.50-3 all [installato, automatico]
profiles for the firejail application sandbox

firetools/artful 0.9.46-3 amd64
Qt frontend for the Firejail application sandbox

Maybe this is useful too :

matteo@matteo-ThinkPad-W540:~$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4 firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 31471, child pid 31472

DNS server 8.8.8.8
DNS server 8.8.4.4

Blacklist violations are logged to syslog
Error: cannot set DNS servers, /etc/resolv.conf file is missing
Error: proc 31471 cannot sync with peer: unexpected EOF
Peer 31472 unexpectedly exited with status 1

matteo@matteo-ThinkPad-W540:~$ ls /etc/resolv.conf
/etc/resolv.conf ----> is not missing!

matteo@matteo-ThinkPad-W540:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=17.10
DISTRIB_CODENAME=artful
DISTRIB_DESCRIPTION="Ubuntu 17.10"

Maybe it's a problem related to systemd-resolvd in Ubuntu 17.10. Idk if other distros have the same problem.

Hope this help. Thank you!

@l4r1k4 commented on GitHub (Oct 22, 2017): matteo@matteo-ThinkPad-W540:~$ firejail wget debian.org --2017-10-22 12:38:03-- http://debian.org/ Risoluzione di debian.org (debian.org)... non riuscito: Nome o servizio sconosciuto. wget: impossibile risolvere l'indirizzo dell'host "debian.org" matteo@matteo-ThinkPad-W540:~$ firejail ping www.google.it Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 30627, child pid 30628 Child process initialized in 49.89 ms ping: socket: Operazione non permessa Parent is shutting down, bye... matteo@matteo-ThinkPad-W540:~$ firejail telnet www.google.it Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 30679, child pid 30689 Child process initialized in 35.99 ms telnet: could not resolve www.google.it/telnet: Name or service not known Parent is shutting down, bye... matteo@matteo-ThinkPad-W540:~$ firejail firefox www.google.it Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 30782, child pid 30783 Blacklist violations are logged to syslog Child process initialized in 60.23 ms 1508668761448 FirefoxAccounts ERROR Background refresh of profile failed: {"name":"FxAccountsProfileClientError","code":null,"errno":998,"error":"NETWORK_ERROR","message":"[Exception... \"NS_ERROR_UNKNOWN_HOST\" nsresult: \"0x804b001e (NS_ERROR_UNKNOWN_HOST)\" location: \"JS frame :: resource://services-common/rest.js :: onStopRequest :: line 483\" data: no]"} [Parent 5] WARNING: pipe error (46): Connessione interrotta dal corrispondente: file /build/firefox-9cfKiA/firefox-56.0+build6/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353 /usr/share/themes/Radiance/gtk-2.0/apps/mate-panel.rc:30: error: invalid string constant "murrine-scrollbar", expected valid string constant [Parent 5] WARNING: pipe error (58): Connessione interrotta dal corrispondente: file /build/firefox-9cfKiA/firefox-56.0+build6/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353 *** UTM:SVC TimerManager:registerTimer called after profile-before-change notification. Ignoring timer registration for id: telemetry_modules_ping Parent is shutting down, bye... I install the version 50.1 but when i upgrade Ubuntu 17.10 installs version 50.3 with profiles 50.3 matteo@matteo-ThinkPad-W540:~$ apt search firejail Ordinamento... Fatto Ricerca sul testo... Fatto firejail/artful,now 0.9.50-3 amd64 [installato] sandbox per restringere l'ambiente dell'applicazione firejail-profiles/artful,artful,now 0.9.50-3 all [installato, automatico] profiles for the firejail application sandbox firetools/artful 0.9.46-3 amd64 Qt frontend for the Firejail application sandbox Maybe this is useful too : matteo@matteo-ThinkPad-W540:~$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4 firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 31471, child pid 31472 DNS server 8.8.8.8 DNS server 8.8.4.4 Blacklist violations are logged to syslog Error: cannot set DNS servers, /etc/resolv.conf file is missing Error: proc 31471 cannot sync with peer: unexpected EOF Peer 31472 unexpectedly exited with status 1 matteo@matteo-ThinkPad-W540:~$ ls /etc/resolv.conf /etc/resolv.conf ----> is not missing! matteo@matteo-ThinkPad-W540:~$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=17.10 DISTRIB_CODENAME=artful DISTRIB_DESCRIPTION="Ubuntu 17.10" Maybe it's a problem related to systemd-resolvd in Ubuntu 17.10. Idk if other distros have the same problem. Hope this help. Thank you!

gitea-mirror commented

2026-05-05 07:25:42 -06:00

Author

Owner

@l4r1k4 commented on GitHub (Oct 22, 2017):

Just to clear a bit :

Same problem with version 50.1 without upgrade and without 50.3 profiles package.
LTS version is working fine.
Problem is with 50.1 and 50.3 versions in Ubuntu 17.10.

Tested with DNSSEC on and off, same behaviour.

@l4r1k4 commented on GitHub (Oct 22, 2017): Just to clear a bit : - Same problem with version 50.1 without upgrade and without 50.3 profiles package. - LTS version is working fine. - Problem is with 50.1 and 50.3 versions in Ubuntu 17.10. Tested with DNSSEC on and off, same behaviour.

gitea-mirror commented

2026-05-05 07:25:43 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 22, 2017):

Error: cannot set DNS servers, /etc/resolv.conf file is missing

Run "ls -l /etc/resolv.conf" and put the output here. They used to have it as a symlink to /run/resolvconf/resolv.conf, maybe they are changing to something else.

@netblue30 commented on GitHub (Oct 22, 2017): > Error: cannot set DNS servers, /etc/resolv.conf file is missing Run "ls -l /etc/resolv.conf" and put the output here. They used to have it as a symlink to /run/resolvconf/resolv.conf, maybe they are changing to something else.

gitea-mirror commented

2026-05-05 07:25:45 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Oct 22, 2017):

I've just set up a Ubuntu 17.10 VM, and the firejail 0.9.50-3 version in the repos won't allow me to connect to internet either. Firejail built from git connects without issue.

$ firejail wget debian.org
--2017-10-22 10:28:35--  http://debian.org/
Resolving debian.org (debian.org)... failed: Name or service not known.
wget: unable to resolve host address ‘debian.org’
$ firejail --version
firejail version 0.9.50

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- git install support is disabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled
$ dpkg -l | grep firejail
ii  firejail                                   0.9.50-3                                    amd64        sandbox to restrict the application environment
ii  firejail-profiles                          0.9.50-3                                    all          profiles for the firejail application sandbox

It looks as if /etc/resolv.conf isn't symlinked to /run/resolvconf/resolv.conf any longer:

$ ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Oct 22 09:55 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

@Fred-Barclay commented on GitHub (Oct 22, 2017): I've just set up a Ubuntu 17.10 VM, and the firejail 0.9.50-3 version in the repos won't allow me to connect to internet either. Firejail built from git connects without issue. ``` $ firejail wget debian.org --2017-10-22 10:28:35-- http://debian.org/ Resolving debian.org (debian.org)... failed: Name or service not known. wget: unable to resolve host address ‘debian.org’ $ firejail --version firejail version 0.9.50 Compile time support: - AppArmor support is enabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled $ dpkg -l | grep firejail ii firejail 0.9.50-3 amd64 sandbox to restrict the application environment ii firejail-profiles 0.9.50-3 all profiles for the firejail application sandbox ``` It looks as if /etc/resolv.conf isn't symlinked to /run/resolvconf/resolv.conf any longer: ``` $ ls -l /etc/resolv.conf lrwxrwxrwx 1 root root 39 Oct 22 09:55 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf ```

gitea-mirror commented

2026-05-05 07:25:47 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 22, 2017):

OK, the guys moved to systemd-resolvd, like Arch.

For version 0.9.50, line "blacklist /var/run/systemd" in disable-common.inc needs to be disabled:

https://github.com/netblue30/firejail/blob/0.9.50-bugfixes/etc/disable-common.inc#L130

@matteotanca, as root open /etc/firejail/disable-common.inc and comment it out (add a #).

Also, can you do a "ls -l /run/systemd/resolve/stub-resolv.conf" - probably there is some more coming.

@netblue30 commented on GitHub (Oct 22, 2017): OK, the guys moved to systemd-resolvd, like Arch. For version 0.9.50, line "blacklist /var/run/systemd" in disable-common.inc needs to be disabled: https://github.com/netblue30/firejail/blob/0.9.50-bugfixes/etc/disable-common.inc#L130 @matteotanca, as root open /etc/firejail/disable-common.inc and comment it out (add a #). Also, can you do a "ls -l /run/systemd/resolve/stub-resolv.conf" - probably there is some more coming.

gitea-mirror commented

2026-05-05 07:25:48 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Oct 22, 2017):

@netblue30

OK, the guys moved to systemd-resolvd, like Arch.

Did we have trouble with firejail 0.9.50 on Arch? I know we don't now - I'm running Arch and building firejail from the latest source almost every day, and I didn't experience anything like what we're seeing on Ubuntu.

@Fred-Barclay commented on GitHub (Oct 22, 2017): @netblue30 > OK, the guys moved to systemd-resolvd, like Arch. Did we have trouble with firejail 0.9.50 on Arch? I know we don't now - I'm running Arch and building firejail from the latest source almost every day, and I didn't experience anything like what we're seeing on Ubuntu.

gitea-mirror commented

2026-05-05 07:25:49 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Oct 22, 2017):

Also, not @matteotanca but here's the output on my 17.10 VM:

$ ls -l /run/systemd/resolve/stub-resolv.conf
-rw-r--r-- 1 systemd-resolve systemd-resolve 239 Oct 22 13:22 /run/systemd/resolve/stub-resolv.conf

@Fred-Barclay commented on GitHub (Oct 22, 2017): Also, not @matteotanca but here's the output on my 17.10 VM: ``` $ ls -l /run/systemd/resolve/stub-resolv.conf -rw-r--r-- 1 systemd-resolve systemd-resolve 239 Oct 22 13:22 /run/systemd/resolve/stub-resolv.conf ```

gitea-mirror commented

2026-05-05 07:25:50 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 22, 2017):

Did we have trouble with firejail 0.9.50 on Arch?

It went down about three weeks ago, after the release of 0.9.50. These are the fixes so far on top of 0.9.50:

The main one affecting regular usage: 1e879f1199 (issue https://github.com/netblue30/firejail/issues/1531)

dns.print never worked for systemd-resolved setup: 02a72e1740

Another one: 7b5d105a39 just fixed again to cover Ubuntu also: abcdd332eb (issue https://github.com/netblue30/firejail/issues/1547)

I'll grab all of them and push a commit on 0.9.50-bugfixes branch for reference. The first one is important, the other two are corner cases.

@netblue30 commented on GitHub (Oct 22, 2017): > Did we have trouble with firejail 0.9.50 on Arch? It went down about three weeks ago, after the release of 0.9.50. These are the fixes so far on top of 0.9.50: The main one affecting regular usage: https://github.com/netblue30/firejail/commit/1e879f1199fb3a3647a5eefd7a8f34bbdc8b8098 (issue https://github.com/netblue30/firejail/issues/1531) dns.print never worked for systemd-resolved setup: https://github.com/netblue30/firejail/commit/02a72e1740187163209e7c3deae59b8678e0fc08 Another one: https://github.com/netblue30/firejail/commit/7b5d105a39232a8456b4e6d83d875925d7c7ab5b just fixed again to cover Ubuntu also: https://github.com/netblue30/firejail/commit/abcdd332ebe644391c5e05ce86650379ed359324 (issue https://github.com/netblue30/firejail/issues/1547) I'll grab all of them and push a commit on 0.9.50-bugfixes branch for reference. The first one is important, the other two are corner cases.

gitea-mirror commented

2026-05-05 07:25:51 -06:00

Author

Owner

@l4r1k4 commented on GitHub (Oct 22, 2017):

Commenting L130 in /etc/firejail/disable-common.inc solved the issue for me.
Now I can surf.

`matteo@matteo-ThinkPad-W540:~$ firejail wget debian.org--2017-10-22 21:40:24-- http://debian.org/
Risoluzione di debian.org (debian.org)... 128.31.0.62, 130.89.148.14, 149.20.4.15, ...
Connessione a debian.org (debian.org)|128.31.0.62|:80... connesso.
Richiesta HTTP inviata, in attesa di risposta... 301 Moved Permanently
Posizione: http://www.debian.org/ [segue]
--2017-10-22 21:40:25-- http://www.debian.org/
Risoluzione di www.debian.org (www.debian.org)... 5.153.231.4, 130.89.148.14, 2001:41c8:1000:21::21:4, ...
Connessione a www.debian.org (www.debian.org)|5.153.231.4|:80... connesso.
Richiesta HTTP inviata, in attesa di risposta... 200 OK
Lunghezza: 14989 (15K) [text/html]
Salvataggio in: "index.html"

index.html 100%[===================>] 14,64K --.-KB/s in 0,09s

2017-10-22 21:40:25 (171 KB/s) - "index.html" salvato [14989/14989]
`

Thank you!

@l4r1k4 commented on GitHub (Oct 22, 2017): Commenting L130 in /etc/firejail/disable-common.inc solved the issue for me. Now I can surf. `matteo@matteo-ThinkPad-W540:~$ firejail wget debian.org--2017-10-22 21:40:24-- http://debian.org/ Risoluzione di debian.org (debian.org)... 128.31.0.62, 130.89.148.14, 149.20.4.15, ... Connessione a debian.org (debian.org)|128.31.0.62|:80... connesso. Richiesta HTTP inviata, in attesa di risposta... 301 Moved Permanently Posizione: http://www.debian.org/ [segue] --2017-10-22 21:40:25-- http://www.debian.org/ Risoluzione di www.debian.org (www.debian.org)... 5.153.231.4, 130.89.148.14, 2001:41c8:1000:21::21:4, ... Connessione a www.debian.org (www.debian.org)|5.153.231.4|:80... connesso. Richiesta HTTP inviata, in attesa di risposta... 200 OK Lunghezza: 14989 (15K) [text/html] Salvataggio in: "index.html" index.html 100%[===================>] 14,64K --.-KB/s in 0,09s 2017-10-22 21:40:25 (171 KB/s) - "index.html" salvato [14989/14989] ` Thank you!

gitea-mirror commented

2026-05-05 07:25:52 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 25, 2017):

I put all the fixes for reference on 0.9.50-bugfixes branch.

@netblue30 commented on GitHub (Oct 25, 2017): I put all the fixes for reference on 0.9.50-bugfixes branch.

gitea-mirror referenced this issue

2026-05-05 10:08:57 -06:00

[PR #1079] [MERGED] fixing --hosts-file privelege check #3844

Rows
Columns

[GH-ISSUE #1611] version 50.1 and 50.3(artful deb) won't connect to internet in Ubuntu 17.10 #1079