github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1956] Having trouble getting firejail to work in a Docker container #1311

New issue

Closed

opened 2026-05-05 07:50:48 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 07:50:48 -06:00

Owner

Originally created by @kruthe01 on GitHub (May 23, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1956

We are having trouble getting firejail to work as expected in a Docker container.

We have Ubuntu 160.4 running in VirtualBox on a Windows host. Firejail works as expected in that environment. But if we run a Docker container in Ubuntu (using "docker run -ti bash"), with firejail installed in the container, we get: "Warning: an existing sandbox was detected. touch will run without any additional sandboxing features".

Based on some searching, we tried using the --force option, but there is no change. We continue to get the warning message, and firejail seems to have no effect.

Should firejail work within a Docker container? Are we missing something, or doing something wrong?

For example, using the fact that /usr is read-only within a firejail sandbox, here is what we get on our simple Ubuntu vm when we try to create a file in /usr/local/test without firejail, and again with firejail:

root@krutherford-VirtualBox:/usr/local/test# touch x.x
root@krutherford-VirtualBox:/usr/local/test# ls
x.x
root@krutherford-VirtualBox:/usr/local/test# rm x.x
root@krutherford-VirtualBox:/usr/local/test# firejail touch x.x
Reading profile /etc/firejail/server.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable server.profile **

Parent pid 4111, child pid 4113
The new log directory is /proc/4113/root/var/log
Child process initialized in 38.43 ms
touch: cannot touch 'x.x': Read-only file system

Parent is shutting down, bye...

Doing the same thing in our Docker container, with and without the --force option:

[root@5e1f26ef0bb2 gsf23]# cd /usr/local/test
[root@5e1f26ef0bb2 test]# touch x.x
[root@5e1f26ef0bb2 test]# ls
x.x
[root@5e1f26ef0bb2 test]# rm x.x
rm: remove regular empty file ‘x.x’? y
[root@5e1f26ef0bb2 test]# firejail touch x.x
Warning: an existing sandbox was detected. touch will run without any additional sandboxing features
[root@5e1f26ef0bb2 test]# ls
x.x
[root@5e1f26ef0bb2 test]# rm x.x
rm: remove regular empty file ‘x.x’? y
[root@5e1f26ef0bb2 test]# firejail --force touch x.x
Warning: an existing sandbox was detected. touch will run without any additional sandboxing features
[root@5e1f26ef0bb2 test]# ls
x.x

Some version information from the Docker container:

[root@5e1f26ef0bb2 test]# firejail --version
firejail version 0.9.54
[root@5e1f26ef0bb2 test]# uname -a
Linux 5e1f26ef0bb2 4.13.0-43-generic #48~16.04.1-Ubuntu SMP Thu May 17 12:56:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@5e1f26ef0bb2 test]#

Originally created by @kruthe01 on GitHub (May 23, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1956 We are having trouble getting firejail to work as expected in a Docker container. We have Ubuntu 160.4 running in VirtualBox on a Windows host. Firejail works as expected in that environment. But if we run a Docker container in Ubuntu (using "docker run -ti <image> bash"), with firejail installed in the container, we get: "Warning: an existing sandbox was detected. touch will run without any additional sandboxing features". Based on some searching, we tried using the --force option, but there is no change. We continue to get the warning message, and firejail seems to have no effect. Should firejail work within a Docker container? Are we missing something, or doing something wrong? For example, using the fact that /usr is read-only within a firejail sandbox, here is what we get on our simple Ubuntu vm when we try to create a file in /usr/local/test without firejail, and again with firejail: root@krutherford-VirtualBox:/usr/local/test# touch x.x root@krutherford-VirtualBox:/usr/local/test# ls x.x root@krutherford-VirtualBox:/usr/local/test# rm x.x root@krutherford-VirtualBox:/usr/local/test# firejail touch x.x Reading profile /etc/firejail/server.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable server.profile ** Parent pid 4111, child pid 4113 The new log directory is /proc/4113/root/var/log Child process initialized in 38.43 ms touch: cannot touch 'x.x': Read-only file system Parent is shutting down, bye... Doing the same thing in our Docker container, with and without the --force option: [root@5e1f26ef0bb2 gsf23]# cd /usr/local/test [root@5e1f26ef0bb2 test]# touch x.x [root@5e1f26ef0bb2 test]# ls x.x [root@5e1f26ef0bb2 test]# rm x.x rm: remove regular empty file ‘x.x’? y [root@5e1f26ef0bb2 test]# firejail touch x.x Warning: an existing sandbox was detected. touch will run without any additional sandboxing features [root@5e1f26ef0bb2 test]# ls x.x [root@5e1f26ef0bb2 test]# rm x.x rm: remove regular empty file ‘x.x’? y [root@5e1f26ef0bb2 test]# firejail --force touch x.x Warning: an existing sandbox was detected. touch will run without any additional sandboxing features [root@5e1f26ef0bb2 test]# ls x.x Some version information from the Docker container: [root@5e1f26ef0bb2 test]# firejail --version firejail version 0.9.54 [root@5e1f26ef0bb2 test]# uname -a Linux 5e1f26ef0bb2 4.13.0-43-generic #48~16.04.1-Ubuntu SMP Thu May 17 12:56:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [root@5e1f26ef0bb2 test]#

gitea-mirror

2026-05-05 07:50:48 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 07:50:52 -06:00

Author

Owner

@Vincent43 commented on GitHub (May 24, 2018):

Docker and firejail use similar features like namespaces, seccomp, capabilities. This means firejail is unable to create its own sandbox when run inside docker.

@Vincent43 commented on GitHub (May 24, 2018): Docker and firejail use similar features like namespaces, seccomp, capabilities. This means firejail is unable to create its own sandbox when run inside docker.

gitea-mirror commented

2026-05-05 07:50:53 -06:00

Author

Owner

@kruthe01 commented on GitHub (May 24, 2018):

Thanks for the explanation. We had found this thread: https://github.com/netblue30/firejail/issues/189 and apparently misunderstood the use/purpose of "--force".

@kruthe01 commented on GitHub (May 24, 2018): Thanks for the explanation. We had found this thread: https://github.com/netblue30/firejail/issues/189 and apparently misunderstood the use/purpose of "--force".

gitea-mirror commented

2026-05-05 07:50:55 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (May 24, 2018):

--force has also been removed in the latest version of firejail 0.9.54

@SkewedZeppelin commented on GitHub (May 24, 2018): `--force` has also been removed in the latest version of firejail 0.9.54

gitea-mirror commented

2026-05-05 07:50:57 -06:00

Author

Owner

@srd424 commented on GitHub (Feb 17, 2019):

@SkewedZeppelin:

--force has also been removed in the latest version of firejail 0.9.54

My desktop environment runs in an nspawn container; I've just started looking at firejail using 0.9.38 (in ubuntu 16.04) .. it seems to run quite happily - and work - with --force. Is there more detail on the decision to drop --force, and/or suggested alternatives?

@srd424 commented on GitHub (Feb 17, 2019): @SkewedZeppelin: > `--force` has also been removed in the latest version of firejail 0.9.54 My desktop environment runs in an nspawn container; I've just started looking at firejail using 0.9.38 (in ubuntu 16.04) .. it seems to run quite happily - and work - with `--force`. Is there more detail on the decision to drop `--force`, and/or suggested alternatives?

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1311

No description provided.

Rows
Columns