Develop Reference

"rootless" docker gets permission denied, but account running docker does not - why?

I am running docker "rootless" according to this guide: https://docs.docker.com/engine/security/rootless/
The user which actually runs docker is svc_test.
When I try and start a docker container which has diretory mounts which don't exists - the docker daemon (a.k.a. svc_test user) attempts to mkdir these directories, but fails with
docker: Error response from daemon: error while creating mount source path '/dir_path/dir_name': mkdir /dir_path/dir_name: permission denied.
When I (svc_test) them attempt to do mkdir /dir_path/dir_name I succeed without any issues.
What is going on here and why does this happen?
Clearly I am missing something, but I can't trace what is that exactly.
Update 1:
This is the specific docker cmd I use to run the container:
docker run -d --restart unless-stopped \
--name questdb \
-e QDB_METRICS_ENABLED=TRUE \
--network="host" \
-v /my_mounted_volume/questdb:/questdb \
-v /my_mounted_volume/questdb/public:/questdb/public \
-v /my_mounted_volume/questdb/conf:/questdb/conf \
-v /my_mounted_volume/questdb/db:/questdb/db \
-v /my_mounted_volume/questdb/log:/questdb/log \
questdb/questdb:6.5.2 /usr/bin/env QDB_PACKAGE=docker /app/bin/java \
-m io.questdb/io.questdb.ServerMain \
-d /questdb \
-f
For clarity: my final goal is to be able to run the docker container in question from the same user form which I run my docker daemon (the svc_test user). Hence how I stumbled on this problem.

Using sickcodes/Docker-OSX, how to boot directly into an OS X shell with no display (Xvfb) [HEADLESS], using a custom image?

With the following command, I tried to boot directly into an OS X shell with no display (Xvfb) [HEADLESS], using the sickcodes/docker-osx:naked docker image with a custom Mojave image.
# run your own image headless + SSH
docker run -it \
--device /dev/kvm \
-p 50922:10022 \
-v "${PWD}/mac_hdd_ng.img:/image" \
sickcodes/docker-osx:naked
However it ends up with the following error message:
nohup: appending output to 'nohup.out'
nohup: failed to run command 'Xvfb': No such file or directory
Details to reproduce:
The version of the sickcodes/docker-osx:naked docker image is: https://hub.docker.com/layers/docker-osx/sickcodes/docker-osx/naked/images/sha256-ffff65c24b7a1588dd665f07f52a48ef5efb9941c2e2fa07573e66524029ab08
The custom image - mac_hdd_ng.img is generated by running:
docker run -it \
--device /dev/kvm \
-p 50922:10022 \
-v /tmp/.X11-unix:/tmp/.X11-unix \
-e "DISPLAY=${DISPLAY:-:0.0}" \
sickcodes/docker-osx:mojave
sudo find /var/lib/docker -size +10G | grep mac_hdd_ng.img # https://github.com/sickcodes/Docker-OSX#container-creation-examples
This youtube video provides a detailed example of using sickcodes/docker-osx to run Mac OS X in Docker.

Building and using the Docker Image using https://github.com/sickcodes/Docker-OSX/blob/master/Dockerfile.naked with the following edits solved the issue.
Replace Line 63 in Dockerfile.naked
RUN pacman -Syu xorg-server-xvfb wget xterm xorg-xhost xorg-xrandr sshpass --noconfirm \
With
RUN pacman -Sy xorg-server-xvfb wget xterm xorg-xhost xorg-xrandr sshpass --noconfirm \
References:
https://github.com/sickcodes/Docker-OSX/issues/515
https://github.com/sickcodes/Docker-OSX/issues/498

Docker not seeing a path

My docker script is this:
docker run --interactive --tty --rm \
--volume=$HOME/neo4j/data:/data \
--volume=$HOME/neo4j/backups:/backups \
neo4j/neo4j-admin:4.4.9 \
neo4j-admin load --database=neo4j --from=/backups/neo4j.dump
When I run it, I'm getting:
docker: invalid reference format.
See 'docker run --help'.
zsh: no such file or directory: --volume=/Users/ironside/neo4j/backups:/backups
zsh: no such file or directory: neo4j/neo4j-admin:4.4.9
But if I do cd $HOME/neo4j/backups and pwd I get /Users/ironside/neo4j/backups. So it exists. Same with the .dump file. It's there.
The data part works, which is very confusing. I'm trying to follow this part from the docs:
https://neo4j.com/docs/operations-manual/current/docker/maintenance/#docker-neo4j-dump
docker run --interactive --tty --rm \
--volume=$HOME/neo4j/data:/data \
--volume=$HOME/neo4j/backups:/backups \
neo4j/neo4j-admin:4.4.9 \
neo4j-admin load --database=neo4j --from=/backups/<dump-name>.dump
What am I missing here?
I'm using a MAC (MacBook Pro (16-inch, 2021)) with Apple M1 Pro chip.

How can I run fIrefox from within a docker container

I'm trying to create a docker container that will let me run firefox, so I can eventually use a jupyter notebook. Right now, although I have successfully installed firefox, I cannot get a window to open.
Following instructions from running-gui-apps-within-docker, I created an image (i.e. "sample") with Firefox and then tried to run it using
$ docker run -it --rm -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix --net=host sample
When I did so, I got the following error:
root#machine:~# firefox
No protocol specified
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :1
Using man docker run to understand the flags, I was not able to find the --net flag, though I did see a --network flag. However, replacing --net with --network didn't change anything. How do I specify a protocol, that will let me create an image from whose containers I will be able to run firefox?
PS - For what it's worth, when I check the value of DISPLAY, I get the predictable:
~# echo $DISPLAY
:1

I have been running firefox inside docker for quite some time so this is possible. With regards to the security aspects I think the following is the relevant parts:
Building
The build needs to match up uid/gid values with the user that is running the container. I do this with UID and GID build args:
Dockerfile
...
FROM fedora:35 as runtime
ENV DISPLAY=:0
# uid and gid in container needs to match host owner of
# /tmp/.docker.xauth, so they must be passed as build arguments.
ARG UID
ARG GID
RUN \
groupadd -g ${GID} firefox && \
useradd --create-home --uid ${UID} --gid ${GID} --comment="Firefox User" firefox && \
true
...
ENTRYPOINT [ "/entrypoint.sh" ]
Makefile
build:
docker pull $$(awk '/^FROM/{print $$2}' Dockerfile | sort -u)
docker build \
-t $(USER)/firefox:latest \
-t $(USER)/firefox:`date +%Y-%m-%d_%H-%M` \
--build-arg UID=`id -u` \
--build-arg GID=`id -g` \
.
entrypoint.sh
#!/bin/sh
# Assumes you have run
# pactl load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1 auth-anonymous=1
# on the host system.
PULSE_SERVER=tcp:127.0.0.1:4713
export PULSE_SERVER
if [ "$1" = /bin/bash ]
then
exec "$#"
fi
exec /usr/local/bin/su-exec firefox:firefox \
/usr/bin/xterm \
-geometry 160x15 \
/usr/bin/firefox --no-remote "$#"
So I am running firefox as a dedicated non-root user, and I wrap it via xterm so that the container does not die if firefox accidentally exit or if you want to restart. It is a bit annoying having all these extra xterm windows, but I have not found any other way in preventing accidental loss of the .mozilla directory content (mapping out to a volume would prevent running multiple independent docker instances which I definitely want, and also from a privacy point of view not dragging along a long history is something I want. Whenever I do want to save something I make a copy of the .mozilla directory and save it on the host computer (and restore later in a new container)).
Running
run.sh
#!/bin/bash
export XSOCK=/tmp/.X11-unix
export XAUTH=/tmp/.docker.xauth
touch ${XAUTH}
xauth nlist ${DISPLAY} | sed -e 's/^..../ffff/' | uniq | xauth -f ${XAUTH} nmerge -
DISPLAY2=$(echo $DISPLAY | sed s/localhost//)
if [ $DISPLAY2 != $DISPLAY ]
then
export DISPLAY=$DISPLAY2
xauth nlist ${DISPLAY} | sed -e 's/^..../ffff/' | uniq | xauth -f ${XAUTH} nmerge -
fi
ARGS=$(echo $# | sed 's/[^a-zA-Z0-9_.-]//g')
docker run -ti --rm \
--user root \
--name firefox-"$ARGS" \
--network=host \
--memory "16g" --shm-size "1g" \
--mount "type=bind,target=/home/firefox/Downloads,src=$HOME/firefox_downloads" \
-v ${XSOCK}:${XSOCK} \
-v ${XAUTH}:${XAUTH} \
-e XAUTHORITY=${XAUTH} \
-e DISPLAY=${DISPLAY} \
${USER}/firefox "$#"
With this you can for instance run ./run.sh https://stackoverflow.com/ and get a container named firefox-httpsstackoverflow.com. If you then want to log into your bank completely isolated from all other firefox instances (protected by operating system process boundaries, not just some internal browser separation) you run ./run.sh https://yourbank.example.com/.

Try run xhost + in your docker host to allow conections with X server.

Docker container as default application

I have Firefox nightly running in a container. I'm looking for a solution to configure it as my default browser application(ubuntu 18.04).
So my question is, how to configure a Docker container as default system application in Ubuntu.
My docker command is:
docker run -d --net=host -v ~/:/home/firefox -v /tmp/.X11-unix:/tmp/.X11-unix \
-e DISPLAY=unix:0 -v /dev/shm:/dev/shm --device /dev/snd \
--group-add 29 -e PULSE_SERVER=unix:/run/user/1000/pulse/native \
-v /run/user/1000/pulse/native:/run/user/1000/pulse/native \
firefox-nightly
I suppose I must create a new mime file, but not sure how to do it, to be able to create the container with all these parameters.
Thanks

One alternative is to create a new .desktop file (e.g: /usr/share/applications/firefox-docker.desktop).
I just copied the existing firefox.desktop and changed Exec sections with the command using docker (*)
Then use xdg-utils (**) configure it as default browser application:
xdg-settings set default-web-browser firefox-docker.desktop.
*: To keep the .desktop file cleaner, you could create an executable file in system PATH (e.g: /usr/bin): docker-firefox:
xhost +
docker run --net=host -v ~/:/home/firefox -v /tmp/.X11-unix:/tmp/.X11-unix \
-e DISPLAY=unix:0 -v /dev/shm:/dev/shm --device /dev/snd \
--group-add 29 -e PULSE_SERVER=unix:/run/user/1000/pulse/native \
-v /run/user/1000/pulse/native:/run/user/1000/pulse/native \
firefox-nightly $#
Note the $# at the end. And make it executable so it can be executed as a normal application.
**: The link is from Arch documentation, but it works in Ubuntu as well.