Firejail doesn't work in Docker #347

mwz · 2019-03-15T11:26:20Z

Hi @fthomas, I've discovered that firejail doesn't work in Docker:

$ firejail echo hello
Warning: an existing sandbox was detected. echo will run without any additional sandboxing features

Running it with the --force flag, which is supposed to disable the PID namespace checking, results in the following error:

$ firejail --force echo hello
Error clone: main.c:2519 main: Operation not permitted

Additionally, the --force flag was removed in firejail 0.9.54 and apparently it is not possible to run firejail in Docker anymore (I asked about this recently netblue30/firejail#2579).

I think we should remove firejail from scala-steward docker image and force it to run without the sandbox when the command isn't found or make it explicit in the docs that the sandboxing features don't work when running scala-steward in Docker.

The text was updated successfully, but these errors were encountered:

fthomas · 2019-03-23T16:09:44Z

Oh no...

Removing firejail from the Docker image and adding a note to the docs to run it with --disable-sandbox in Docker seems fine to me.

Btw, thanks for investigating this!

fthomas added the documentation label May 26, 2019

implmnt mentioned this issue Mar 22, 2020

Optimize docker image size #1370

Merged

fthomas closed this as completed in #1370 Mar 24, 2020

alejandrohdezma mentioned this issue May 6, 2020

Remove --whitelist and --read-only options scala-steward-org/scala-steward-action#3

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Firejail doesn't work in Docker #347

Firejail doesn't work in Docker #347

mwz commented Mar 15, 2019

fthomas commented Mar 23, 2019

Firejail doesn't work in Docker #347

Firejail doesn't work in Docker #347

Comments

mwz commented Mar 15, 2019

fthomas commented Mar 23, 2019