Comments (30)
Hey guys. Dropping by after I saw my username mentioned here 😄
Here are the main difficulties I found trying to get warsaw running inside a container:
-
Warsaw will simply not install unless /sbin/init is PID 1.
-
The fact that the official download URL has no version identification also makes for unpredictable re-builds
-
There are no command line options for any of the binaries installed, such as
--help
or-h
. No man pages at all.
Because of (1), a number of other side issues come up.
For one, I was unable to get systemd running using rootless docker. It needs absolute permissions by running the continer with --privileged
and access to your root's dockerd
. Because of all these privileges, the most recent version of systemd in the ubuntu:20.04 docker image conflicts with the instance of systemd running outside the container. I'm developing with ArchLinux and my entire user session is hijacked by the container systemd instance until I reboot.
I have not found a way to get warsaw properly running unless /sbin/init
is pid 1. And since that's the case, might as well use systemd to run all other services needed to get the browser up and running inside the container as well.
To put it nicely, warsaw is a b****. A blackbox that deserves to be reverse engineered by an expert. It is an terrible solution to a bad problem.
from wscef-docker.
from wscef-docker.
Pessoal, Lamento vou responder em português 🇧🇷 mesmo apesar da discussão estar toda em inglês 🇺🇸 uma vez que o warsaw talvez seja relevante só no Brasil mesmo.
Meus comentários às mensagens do @fzamperin e @farribeiro.
O problema ainda persiste sim e é com o warsaw, que, aparentemente, precisa ser lançado pelo init. Eu digo "aparentemente" porque não há documentação do warsaw e cheguei a essa conclusão pelas experiências minhas e o relato do @juliohm1978.
Particularmente, eu não me sinto confortável em usar versões mais antigas do Warsaw porque já houve incidentes de segurança e mau funcionamento. E salvo engano ele roda com permissão de root.
Eu uso regularmente o internet banking (prefiro-o para algumas atividades) e aproveitando o trabalho do pessoal deste fio 🧵 eu parti para uma solução rootless no-root usando podman. Com ele até consigo baixar arquivos (extratos, comprovante, etc..) e abri-los na maquina hospedeira.
https://github.com/rcassaniga/podman_bb
Um abraço a todos,
Cassaniga
from wscef-docker.
Maybe a broken link of Warsaw. I will see soon
from wscef-docker.
No. It is downloaded , installed and running inside the container.
from wscef-docker.
I tested both @farribeiro and @jsalatiel solutions. I confirm, unfortunately both are not working for BB. The link for downloading the warsaw package is fine. The problem must be something else.
I tested a third solution from @juliohm1978 at dockerbb that worked for me. But it uses VNC to export the browser instead of using X protocol. His docker uses ubuntu, but the main difference, from my point of view, between dockerbb and wsbb or wscef is that dockerbb uses init and starts some basic services.
It is interesting to mention: when I tried to install manually the warsaw package file inside container it complained PID 1 was not init.
I appreciate your time dedicated on a docker for BB/CEF. If could help you, let me know. I really would like to have a solution using X protocol instead of VNC.
from wscef-docker.
Running in Ubuntu 21.04, showing the warsaw is operational. But not applied the cef conf files
PS: in login pages of cef and bb not have warning about the warsaw
from wscef-docker.
When I have some free time I will try to run the container using podman instead of docker.
Podman plays nice with init/systemd inside the container and does not require privileged flag.
from wscef-docker.
cc @awerlang
from wscef-docker.
That would be great, @jsalatiel. Let us know if you get this to work.
Podman is not widely available as docker, but it's a start.
from wscef-docker.
Sure I will. @juliohm1978 thanks for debugging this , btw =)
from wscef-docker.
When I have some free time I will try to run the container using podman instead of docker.
Podman plays nice with init/systemd inside the container and does not require privileged flag.
The podman can't run the wcef-docker actual docker-compose.yml
... i think be the version of yml file
from wscef-docker.
... ubuntu:20.04 docker image ...
I used the ubuntu in the past, but many people wanted to use debian, maybe has low footprint image
from wscef-docker.
@juliohm1978 It worked on podman. I created a new repo. Thanks for your effort debugging. It does not need --privileged flags, although it requires 2 capabilities: CAP_AUDIT_WRITE ( on recent kernels ) and CAP_SYS_PTRACE ( this is probably to strace our data )
I decided to remove all the VNC requirements. Just like @rcassaniga I prefer pure X protocol.
@farribeiro I haven't tried your version with podman, but podman > 3.0 does support docker-compose.yml files by itself. ( not using podman-compose ). If you use podman-compose probably it will not work.
from wscef-docker.
That is excellent! Works like a charm. Works with podman and docker.
But it still needs the usual sudo
. I tried both rootless docker and rootless podman.
In rootless mode, I was not able to get the browser started because the mount volume /home/user/.Xauthority
appears as root inside the container. The uid/gid mapping is different and my common host user gets mapped to root. You'd have to change permissions on the real /home/user/.Xauthority
, but that'll probably mess up the X session for the host user.
Also, docker does is unable to run with just --cap-add CAP_AUDIT_WRITE --cap-add CAP_SYS_PTRACE
. It still needs full --privileged
.
Other than that, it works great. I'm thinking of using the same idea for dockerbb. It's a lot lighter and easier to use.
Thank you!
from wscef-docker.
That is excellent! Works like a charm. Works with podman and docker.
But it still needs the usual
sudo
. I tried both rootless docker and rootless podman.In rootless mode, I was not able to get the browser started because the mount volume
/home/user/.Xauthority
appears as root inside the container. The uid/gid mapping is different and my common host user gets mapped to root. You'd have to change permissions on the real/home/user/.Xauthority
, but that'll probably mess up the X session for the host user.Also, docker does is unable to run with just
--cap-add CAP_AUDIT_WRITE --cap-add CAP_SYS_PTRACE
. It still needs full--privileged
.Other than that, it works great. I'm thinking of using the same idea for dockerbb. It's a lot lighter and easier to use.
Thank you!
It works rootless if you remove the .Xauthority mapping and just run 'xhost +' inside the host X session
from wscef-docker.
I am running podman rootless and it was working seamlessly up to a couple weeks ago. I moved to a VM when it stopped working, to get things done.
In short:
- Works with podman rootless
- With --init (i.e. tini)
- Without --privileged, no sudo package inside container (we drop privileges, never acquire)
- With only capabilities: SETUID SETGID AUDIT_WRITE DAC_OVERRIDE CHOWN
- Copying XAUTHORITY to the stopped container, as it moves across boots, no xhost.
I switched to chromium since firefox stopped working in all containers I have. It worked for a while then warsaw stopped working. Chromium wants some dbus access which is possible to make available to it, but didn't manage to get it working again. Didn't strace this time though.
I'm using make instead of compose, but see no reason why it shouldn't work with podman-compose. docker-compose requires rootful podman atm.
For reference, I reworked to an openSUSE base: https://github.com/awerlang/containers/tree/master/warsaw, my wip is in the develop branch, it's an overhaul of browsers and GUI containers.
I don't expect to have bandwidth to debug the issue this week, but will keep an eye on it.
from wscef-docker.
I don't know about my solution, is deprecated?
@juliohm1978 @jsalatiel @rcassaniga @awerlang
from wscef-docker.
I do not think any solution should be deprecated. The more solutions we have the better.
from wscef-docker.
I don't know about my solution, is deprecated?
We don't know yet why it stopped working, maybe it is requiring new capabilities or being started in a specific way, since about 2 weeks ago. Once we figure that out we can update any existings solutions, this one being quite good given it doesn't requires --privileged.
from wscef-docker.
the @jsalatiel and @awerlang solutions are very similars... because using makefile instead of docker-compose.yml file
from wscef-docker.
IIRC the @Feaneron tried to put warsaw in the flatpak, but without success
from wscef-docker.
Um link interessante para consulta
https://fedoramagazine.org/using-ansible-to-configure-podman-containers/
https://fedoramagazine.org/use-docker-compose-with-podman-to-orchestrate-containers-on-fedora/
from wscef-docker.
Eu irei arquivar este Github, posso?
from wscef-docker.
I don't know if this issue still persists, but I have an automated tool using python selenium that uses warsaw with chrome, I had many problems with new versions of warsaw, instead of adding it directly from link to get the updated version in every build, I decided to pin an old version and add to my repository, It took me many hours to test the right version since I had to search for the right version in older images.
The warsaw version I'm using is pretty old, but still working flawless. Just a point, I don't need to use any X server on my image. If there's something I can help, it would be a pleasure.
from wscef-docker.
Obrigado pelo interesse do projeto, mas não se sabe o problema persiste (preciso de novos testes) então o projeto foi abandonado porque não tem utilidade para os outros no thread (o primeiro objetivo) e para mim (usando celular)
Outros colaboradores, fazem um novo desenho deste projeto com outras opções e utilizando podman (duas soluções). Poucas vezes sei como usar o podman com docker-compose. Pode estar no caminho novamente. A propósito, este projeto foi originalmente desenvolvido para docker/docker-compose
Esta issue está aberta a comunicações e dicas de como aprimorar as soluções dos colaboradores.
Eu recomendo dar uma olhada nos projetos @awerlang e @jsalatiel
Espero que seja útil
Atenciosamente
Fábio
from wscef-docker.
The warsaw version I'm using is pretty old, but still working flawless. Just a point, I don't need to use any X server on my image. If there's something I can help, it would be a pleasure.
Eu recomendo usar a ultima versão do warsaw
Abraços
Fábio
from wscef-docker.
IIRC the @Feaneron tried to put warsaw in the flatpak, but without success
Eu acho que a maneira natural de continuar este projeto é transformar em flatpak. Mas warsaw é um daemon do sistema, preciso pensar em como empacotar isso.
Aliás ... É um problema também (o pacote) porque a solução requer compilar localmente
from wscef-docker.
Oi @rcassaniga!
O warsaw realmente é um mistério. Das poucas coisas que sei a respeito é que ele é escrito em C++ e está cheio de validações internas para tentar garantir que está executando dentro do modo planejado pelos bancos. Segurança por obscurantismo nunca foi a melhor das práticas, mas enfim... é o que tem ai para usarmos :)
Tenho que gastar mais tempo no projeto para entender melhor o systemd. Ao que parece ele tem recebido melhorias para executar melhor em ambiente conteinerizado. Pode ter algumas features que podem ser aproveitadas, mas é difícil achar exemplos na Internet.
Boa sorte!
from wscef-docker.
Atenção participantes desta thread... @rcassaniga / @jsalatiel / @fzamperin / @juliohm1978 / @awerlang
Eu atualizei a imagem base do projeto, porém não fiz testes. No commit efe953a
Atenciosamente,
Fábio
from wscef-docker.
Related Issues (20)
- Docker for windows testing HOT 1
- various errors while following instructions from readme HOT 6
- Password authentication fails for `su` HOT 7
- sem permissão gravar em /home/ff/downloads HOT 3
- Is possible running only warsaw on docker? HOT 1
- Warsaw não é encontrado HOT 33
- Criação de canal para troca de mensagem entre os entusiastas do projeto HOT 2
- ERROR: libcurl4 and python-gpg HOT 1
- sudo: apt update: comando não encontrado HOT 2
- Não está funcionando HOT 6
- Corrigir e aprimorar a criação de usuário
- failed to GET warsaw-setup-ubuntu_64.deb with status 403 HOT 2
- Funciona para Itau e Bradesco? HOT 1
- Não consegue instalar o firefox HOT 10
- Brecha de segurança no Xorg HOT 11
- Erro com o setup locale HOT 2
- Execução de processo como root no container HOT 3
- BANFILE variable inside Instructions
- 32 bit HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wscef-docker.