github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #692] Running docker via firejail #473

New issue

Closed

opened 2026-05-05 05:55:43 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 05:55:43 -06:00

Owner

Originally created by @agamdua on GitHub (Aug 8, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/692

This is not an "issue" - just trying to understand something and was directed here from the support page.

On the FAQ there's a section mentioning that docker can be run under firejail, and with the below command I can definitely do that.

$ sudo firejail --private docker run hello-world

Is there a point to still use it this way if I have to use sudo to be root for docker anyway?

Originally created by @agamdua on GitHub (Aug 8, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/692 This is not an "issue" - just trying to understand something and was directed here from the support page. On the FAQ there's a [section](https://firejail.wordpress.com/support/frequently-asked-questions/#docker) mentioning that docker can be run under firejail, and with the below command I can definitely do that. ``` shell $ sudo firejail --private docker run hello-world ``` Is there a point to still use it this way if I have to use `sudo` to be root for docker anyway?

gitea-mirror

2026-05-05 05:55:43 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:55:49 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 9, 2016):

It wouldn't make sense to run it this way. I've seen people doing the other way around: start docker, and inside docker, as root, they run the server programs under firejail. You can also use a docker filesystem and mount it in firejail using --chroot, but you still have to be root to do it and start programs in the jail.

@netblue30 commented on GitHub (Aug 9, 2016): It wouldn't make sense to run it this way. I've seen people doing the other way around: start docker, and inside docker, as root, they run the server programs under firejail. You can also use a docker filesystem and mount it in firejail using --chroot, but you still have to be root to do it and start programs in the jail.

gitea-mirror commented

2026-05-05 05:55:51 -06:00

Author

Owner

@agamdua commented on GitHub (Aug 10, 2016):

So I tried something which seems to suggest there is some benefit:

$ ls -al /home/
total 16
drwxr-xr-x  4 root    root    4096 Aug  8 01:51 .
drwxr-xr-x 23 root    root    4096 Aug  8 01:35 ..
drwxr-xr-x  4 vagrant vagrant 4096 Aug  8 01:50 vagrant
drwxr-xr-x  2 root    root    4096 Aug  8 01:59 workspace

Now I want to see what happens to root while in a firejail:

vagrant@vagrant:~$ sudo firejail --private --noprofile
Parent pid 8022, child pid 8023
The new log directory is /proc/8023/root/var/log

Child process initialized
[root@vagrant root]$ cd /home/
[root@vagrant home]$ ls
[root@vagrant home]$ mkdir dummy
[root@vagrant home]$ ls
dummy
[root@vagrant home]$ exit
exit

parent is shutting down, bye...

Apparently at this stage it cannot really see anything else apart from what is in the current firejail "session". That's odd, because above we see that workspace is owned by root:root.

If we switch to root and ls yet again:

vagrant@vagrant:~$ sudo su
root@vagrant:/home/vagrant# ls -al /home/
total 16
drwxr-xr-x  4 root    root    4096 Aug  8 01:51 .
drwxr-xr-x 23 root    root    4096 Aug  8 01:35 ..
drwxr-xr-x  4 vagrant vagrant 4096 Aug  8 01:50 vagrant
drwxr-xr-x  2 root    root    4096 Aug  8 01:59 workspace
root@vagrant:/home/vagrant#

Interestingly enough, it can see everything from before the "session", but the dummy dir never gets created.

@agamdua commented on GitHub (Aug 10, 2016): So I tried something which seems to suggest there is _some_ benefit: ``` $ ls -al /home/ total 16 drwxr-xr-x 4 root root 4096 Aug 8 01:51 . drwxr-xr-x 23 root root 4096 Aug 8 01:35 .. drwxr-xr-x 4 vagrant vagrant 4096 Aug 8 01:50 vagrant drwxr-xr-x 2 root root 4096 Aug 8 01:59 workspace ``` Now I want to see what happens to root while in a firejail: ``` vagrant@vagrant:~$ sudo firejail --private --noprofile Parent pid 8022, child pid 8023 The new log directory is /proc/8023/root/var/log Child process initialized [root@vagrant root]$ cd /home/ [root@vagrant home]$ ls [root@vagrant home]$ mkdir dummy [root@vagrant home]$ ls dummy [root@vagrant home]$ exit exit parent is shutting down, bye... ``` Apparently at this stage it cannot really see anything else apart from what is in the current firejail "session". That's odd, because above we see that `workspace` is owned by `root:root`. If we switch to `root` and `ls` yet again: ``` vagrant@vagrant:~$ sudo su root@vagrant:/home/vagrant# ls -al /home/ total 16 drwxr-xr-x 4 root root 4096 Aug 8 01:51 . drwxr-xr-x 23 root root 4096 Aug 8 01:35 .. drwxr-xr-x 4 vagrant vagrant 4096 Aug 8 01:50 vagrant drwxr-xr-x 2 root root 4096 Aug 8 01:59 workspace root@vagrant:/home/vagrant# ``` Interestingly enough, it can see everything from before the "session", but the `dummy` dir never gets created.

gitea-mirror commented

2026-05-05 05:55:54 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 11, 2016):

In your case, a tmpfs filesystem is mounted on top of /home in order to protect the existing user accounts. All new files you bring under /home will get lost when you close the sandbox.

@netblue30 commented on GitHub (Aug 11, 2016): In your case, a tmpfs filesystem is mounted on top of /home in order to protect the existing user accounts. All new files you bring under /home will get lost when you close the sandbox.

gitea-mirror commented

2026-05-05 05:55:56 -06:00

Author

Owner

@agamdua commented on GitHub (Aug 11, 2016):

Also, I am not extremely familiar with this vs the alternatives like app armor - I am looking these things up and reading into docker docs for security https://docs.docker.com/engine/security/security/

@agamdua commented on GitHub (Aug 11, 2016): Also, I am not extremely familiar with this vs the alternatives like app armor - I am looking these things up and reading into docker docs for security https://docs.docker.com/engine/security/security/

gitea-mirror commented

2026-05-05 05:55:58 -06:00

Author

Owner

@agamdua commented on GitHub (Aug 11, 2016):

tmpfs filesystem is mounted on top of /home

I see - I am able to create things in / that persist.

Would it be smarter to just build docker with seccomp and configure it via this: https://docs.docker.com/engine/security/seccomp/ ?

Thanks for answering the questions - its helped clear the confusion!

Update: I just want to add that I am not asking as a "how can I do this", there are a variety of ways of how to achieve what I want. Just wondering if firejail is really the right tool for the job, and if not (which you've mentioned before) then why. Thanks again for your time! :)

@agamdua commented on GitHub (Aug 11, 2016): > tmpfs filesystem is mounted on top of /home I see - I am able to create things in `/` that persist. Would it be smarter to just build docker with seccomp and configure it via this: https://docs.docker.com/engine/security/seccomp/ ? Thanks for answering the questions - its helped clear the confusion! Update: I just want to add that I am not asking as a "how can I do this", there are a variety of ways of how to achieve what I want. Just wondering if firejail is really the right tool for the job, and if not (which you've mentioned before) then why. Thanks again for your time! :)

gitea-mirror commented

2026-05-05 05:56:01 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 12, 2016):

It depends what you need it for. If you are looking for a virtualization solution you stay with docker and configure seccomp, capabilities, SELinux or AppArmor and everything else they have available. Or you can start your server under firejail inside your docker container. Firejail is strictly a security solution. it has some virtualization features but it doesn't come close to docker.

@netblue30 commented on GitHub (Aug 12, 2016): It depends what you need it for. If you are looking for a virtualization solution you stay with docker and configure seccomp, capabilities, SELinux or AppArmor and everything else they have available. Or you can start your server under firejail inside your docker container. Firejail is strictly a security solution. it has some virtualization features but it doesn't come close to docker.

gitea-mirror referenced this issue

2026-05-05 10:05:03 -06:00

[PR #473] [MERGED] Temp fix for #472 #3635

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#473

No description provided.

Rows
Columns