Search

Chapter 5. Locked-down, secure Firefox in a container

download PDF

This section explains how to deploy a secure container that runs Firefox. This container gives you an instance of Firefox, containerized, with the following features:

  • Completely unprivileged - needs no extra SELinux tweaking
  • Only the list of cgroups is passed into the container from the host
  • No port redirection because the container is available only to the host
  • No X11 clipboard events or X events shared with your real host
  • No shared sound hardware
  • Everything runs with normal, non-elevated user permissions except for systemd (and systemd runs only to reap the other processes)
  • unsynced sound, flash, and interactivity.

Running Firefox Securely in a Container

  1. Retrieve the base image that we use to build this container:

    $ curl -o Fedora-Docker-Base-22-20150521.x86_64.tar.xz -L https://download.fedoraproject.org/pub/fedora/linux/releases/22/Docker/x86_64/Fedora-Docker-Base-22-20150521.x86_64.tar.xz
  2. Load the base image you just downloaded into the local Docker registry:

    $ sudo docker load < Fedora-Docker-Base-22-20150521.x86_64.tar.xz
  3. Create a directory to hold the Dockerfile that will map out this container:

    $ mkdir -p isolated_firefox
  4. Retrieve the Dockerfile by using this curl command:

    $ curl -o isolated_firefox/Dockerfile -L http://pastebin.com/raw.php?i=cgYXQvJu
  5. Build the container and tag it with a tag called isolated_firefox:

    $ sudo docker build -t isolated_firefox isolated_firefox .
  6. Run the container:

    $ sudo docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro isolated_firefox
  7. Retrieve the CONTAINER_ID by using the docker ps command:

    $ sudo docker ps
  8. Retrieve the IP address of the container:

    $ sudo docker inspect CONTAINER_ID| grep IPAddress\":
  9. Open the container in vncviewer:

    $ vncviewer CONTAINER_IP
  10. To hear the audio associated with this container, open a browser and go to the following location:

    http://CONTAINER_IP:8000/firefox.ogg
    Note

    Do not forget to include the port in the URL. That means that you should not forget to type :8000 after the URL. You can also send the address of the container to VLC to play the content in VLC.

  11. Run the following command to launch the VLC instance:

    $ vlc http://CONTAINER_IP:8000/firefox.ogg
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.