GUI Firefox and Chromium no longer work without --privileged #18046
Description
Issue Description
Years ago, I built an image based on Fedora that installed Firefox and tigervnc for a lab and Firefox worked well. That version of Fedora is no longer available on docker.io. I've been trying to upgrade the image and rebuilt with the latest version of Podman, Fedora, Firefox, etc.; however, using either Firefox or Chromium doesn't work (unable to load any page) unless I also run with --privileged.
Running Firefox from the terminal doesn't show any errors in stdout/stderr. Running Chromium shows an error about sys_chroot and a core dump:
$ chromium-browser
Check failed: sys_chroot("/proc/self/fdinfo/") == 0
[...]
Trace/breakpoint trap (core dumped)
The question is how do I determine which podman run permission flags are needed?
Here is a screencast showing the difference:
ScreenRecording.mp4
Steps to reproduce the issue
- Containerfile:
Containerfile
FROM docker.io/fedora:latest
RUN dnf install -y \
chromium \
curl \
firefox \
passwd \
supervisor \
sudo \
tigervnc \
tigervnc-server \
vim \
wget \
@xfce
RUN sudo dnf remove -y xfce4-power-manager && \
printf 'test' > /tmp/remotepassword && \
dbus-uuidgen > /var/lib/dbus/machine-id && \
echo "enforcing=0" | sudo tee -a /etc/security/pwquality.conf && \
printf '#!/bin/sh\n\
read password\n\
echo "${password}" | sudo tee /root/password.txt\n\
echo -n "${password}" | sudo sh -c "vncpasswd -f > /root/.vnc/passwd" || exit 1\n\
echo "root:$(echo -n "${password}")" | sudo sh -c "chpasswd" || exit 1\n\
echo -n "${password}" | sudo sh -c "vncpasswd -f > /home/testuser/.vnc/passwd" || exit 1\n\
echo -n "${password}" | sudo sh -c "passwd --stdin testuser" || exit 1\n\
sudo sed -i "s/password={SHA}.*/password={SHA}$(echo -n "${password}" | sha1sum | awk "{print \\$1}")/g" /etc/supervisord.conf || exit 1\n\
sudo chmod 600 /root/.vnc/passwd || exit 1\n\
sudo chmod -R go-rwx /home/testuser/.vnc || exit 1\n\
sudo chown -R testuser:root /home/testuser/ || exit 1\n\
\n' | sudo tee /usr/local/bin/setpassword.sh && chmod +x /usr/local/bin/setpassword.sh && \
mkdir /root/.vnc && \
mkdir /root/Desktop && \
echo "startxfce4" > /root/.Xclients && \
chmod +x /root/.Xclients && \
adduser -r -g 0 -m testuser && \
usermod -a -G wheel testuser && \
mkdir /home/testuser/.vnc && \
mkdir /home/testuser/Desktop && \
echo "startxfce4" > /home/testuser/.Xclients && \
chmod +x /home/testuser/.Xclients && \
sed -i 's/^%wheel.*/%wheel ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers && \
sed -i 's/^\(Defaults.*env_reset\)/#\1/g' /etc/sudoers && \
printf '#!/bin/sh\n\
unset SESSION_MANAGER\n\
unset DBUS_SESSION_BUS_ADDRESS\n\
exec xfce4-session\n\
' | sudo tee -a /root/.vnc/xstartup && \
chmod a+x /root/.vnc/xstartup && \
cp /root/.vnc/xstartup /home/testuser/.vnc/xstartup && \
chown testuser:root /home/testuser/.vnc/xstartup && \
printf '\n\
[supervisord]\n\
user=root\n\
logfile=/dev/stdout\n\
logfile_maxbytes=0\n\
loglevel=info\n\
pidfile=/var/run/supervisor/supervisord.pid\n\
minfds=1024\n\
minprocs=200\n\
\n\
[unix_http_server]\n\
file=/var/run/supervisor/supervisor.sock\n\
username=root\n\
password={SHA}REPLACEPASSWORD\n\
\n\
[rpcinterface:supervisor]\n\
supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface\n\
\n\
[supervisorctl]\n\
serverurl=unix:///var/run/supervisor/supervisor.sock\n\
\n\
[include]\n\
files=/etc/supervisord.d/*.supervisord.conf\n\
' | sudo tee /etc/supervisord.conf && \
printf '\n\
[program:vncserver1]\n\
command=/usr/bin/vncserver :1 -fg\n\
stdout_logfile=/dev/stdout\n\
stdout_logfile_maxbytes=0\n\
redirect_stderr=true\n\
startsecs=1\n\
priority=50\n\
' | sudo tee /etc/supervisord.d/vncserver1.supervisord.conf && \
printf '#!/bin/sh\n\
sleep 5 # Try to avoid deadlock with the root VNC starting at the same time\n\
/usr/sbin/runuser -l testuser -c "/usr/bin/vncserver :2 -fg"\n\
' | sudo tee /usr/local/bin/startvnctestuser.sh && \
sudo chmod +x /usr/local/bin/startvnctestuser.sh && \
printf '\n\
[program:vncserver2]\n\
command=/usr/local/bin/startvnctestuser.sh\n\
stdout_logfile=/dev/stdout\n\
stdout_logfile_maxbytes=0\n\
redirect_stderr=true\n\
startsecs=1\n\
priority=51\n\
' | sudo tee /etc/supervisord.d/vncserver2.supervisord.conf && \
sudo mkdir -p /var/run/supervisor/ && \
printf '#!/bin/sh\n\
ssh-keygen -A || exit 1\n\
\n\
if [ -e /usr/local/bin/extended_entrypoint.sh ]; then\n\
chmod a+x /usr/local/bin/extended_entrypoint.sh\n\
/usr/local/bin/extended_entrypoint.sh || exit 1\n\
fi\n\
\n\
if [ "$#" -gt 0 ]; then\n\
supervisord -c /etc/supervisord.conf &> /var/log/supervisord.log || exit 1 &\n\
exec "$@" || exit 1\n\
else\n\
supervisord -n -c /etc/supervisord.conf || exit 1\n\
fi\n\
\n\
' | sudo tee -a /usr/local/bin/entrypoint.sh && chmod a+rx /usr/local/bin/entrypoint.sh && \
mv /etc/xdg/autostart/xfce-polkit.desktop /etc/xdg/autostart/xfce-polkit.desktop.disabled && \
sudo chmod a+x /usr/share/applications/firefox.desktop && \
sudo ln -s /usr/share/applications/firefox.desktop /home/testuser/Desktop/ && \
sudo chmod a+x /usr/share/applications/xfce4-terminal.desktop && \
sudo ln -s /usr/share/applications/xfce4-terminal.desktop /home/testuser/Desktop/ && \
sudo mkdir -p /root/.config/xfce4/ && \
printf 'WebBrowser=firefox' | sudo tee /root/.config/xfce4/helpers.rc && \
sudo mkdir -p /home/testuser/.config/xfce4/ && \
printf 'WebBrowser=firefox' | sudo tee /home/testuser/.config/xfce4/helpers.rc && \
sudo chown -R testuser:root /home/testuser/ && \
echo -n "$(sudo head -n 1 /tmp/remotepassword)" | /usr/local/bin/setpassword.sh
EXPOSE 5901 5902
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]podman build --platform linux/amd64 -t browserissue .podman run --rm -p 5901:5901 -p 5902:5902 -it browserissue- Wait about 10 seconds
open vnc://localhost:5902- Password is
test - Launch Firefox and no page works.
- Ctrl^C on
podman run, add--privilegedand re-test and it works.
Describe the results you received
Firefox and Chromium work with --privileged
Describe the results you expected
Firefox and Chromium work with fewer permission escalations than --privileged
podman info output
podman info
host:
arch: amd64
buildahVersion: 1.29.0
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.7-2.fc37.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.7, commit: '
cpuUtilization:
idlePercent: 96.16
systemPercent: 2.15
userPercent: 1.7
cpus: 4
distribution:
distribution: fedora
variant: coreos
version: "37"
eventLogger: journald
hostname: localhost.localdomain
idMappings:
gidmap: null
uidmap: null
kernel: 6.1.18-200.fc37.x86_64
linkmode: dynamic
logDriver: journald
memFree: 8161370112
memTotal: 10418253824
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.8.1-1.fc37.x86_64
path: /usr/bin/crun
version: |-
crun version 1.8.1
commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
rundir: /run/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
remoteSocket:
exists: true
path: /run/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-8.fc37.x86_64
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 0
swapTotal: 0
uptime: 2h 1m 52.00s (Approximately 0.08 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
volume:
- local
registries:
search:
- docker.io
store:
configFile: /usr/share/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 1
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphRootAllocated: 106769133568
graphRootUsed: 36753084416
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 51
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 4.4.2
Built: 1677669779
BuiltTime: Wed Mar 1 05:22:59 2023
GitCommit: ""
GoVersion: go1.19.6
Os: linux
OsArch: linux/amd64
Version: 4.4.2Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
Yes
Additional environment details
macOS version
% system_profiler SPSoftwareDataType SPHardwareDataType | grep -v -e UUID -e UDID -e 'User Name' -e 'Computer Name' -e Serial
Software:
System Software Overview:
System Version: macOS 13.2.1 (22D68)
Kernel Version: Darwin 22.3.0
Boot Volume: MainDisk
Boot Mode: Normal
Secure Virtual Memory: Enabled
System Integrity Protection: Disabled
Time since boot: 5 days, 59 minutes
Hardware:
Hardware Overview:
Model Name: MacBook Pro
Model Identifier: MacBookPro15,1
Processor Name: 6-Core Intel Core i7
Processor Speed: 2.6 GHz
Number of Processors: 1
Total Number of Cores: 6
L2 Cache (per Core): 256 KB
L3 Cache: 9 MB
Hyper-Threading Technology: Enabled
Memory: 16 GB
System Firmware Version: 1916.80.2.0.0 (iBridge: 20.16.3045.0.0,0)
OS Loader Version: 564.40.4~66
Activation Lock Status: Enabled
Metadata
Metadata
Assignees
Labels
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Participants
Activity
Luap99 commentedon Apr 5, 2023
you need to add --cap-add sys_chroot. Or better update to 4.4.3 which added sys_chroot back to the default capabilities because so many application are broken without it: https://github.com/containers/podman/releases/tag/v4.4.3
kgibm commentedon Apr 5, 2023
Ahh, okay, makes sense, thanks!
Remove --privileged as per containers/podman#18046