wscef-docker
wscef-docker copied to clipboard
farribeiro
Still working?
I tested both @farribeiro and @jsalatiel solutions. I confirm, unfortunately both are not working for BB. The link for downloading the warsaw package is fine. The problem must be something else. I tested a third solution from @juliohm1978 at dockerbb that worked for me. But it uses VNC to export the browser instead of using X protocol. His docker uses ubuntu, but the main difference, from my point of view, between dockerbb and wsbb or wscef is that dockerbb uses init and starts some basic services. It is interesting to mention: when I tried to install manually the warsaw package file inside container it complained PID 1 was not init. I appreciate your time dedicated on a docker for BB/CEF. If could help you, let me know. I really would like to have a solution using X protocol instead of VNC.
Running in Ubuntu 21.04, showing the warsaw is operational. But not applied the cef conf files
PS: in login pages of cef and bb not have warning about the warsaw
Hey guys. Dropping by after I saw my username mentioned here :smile:
Here are the main difficulties I found trying to get warsaw running inside a container:
-
Warsaw will simply not install unless /sbin/init is PID 1.
-
The fact that the official download URL has no version identification also makes for unpredictable re-builds
-
There are no command line options for any of the binaries installed, such as
--helpor-h. No man pages at all.
Because of (1), a number of other side issues come up.
For one, I was unable to get systemd running using rootless docker. It needs absolute permissions by running the continer with --privileged and access to your root's dockerd. Because of all these privileges, the most recent version of systemd in the ubuntu:20.04 docker image conflicts with the instance of systemd running outside the container. I'm developing with ArchLinux and my entire user session is hijacked by the container systemd instance until I reboot.
I have not found a way to get warsaw properly running unless /sbin/init is pid 1. And since that's the case, might as well use systemd to run all other services needed to get the browser up and running inside the container as well.
To put it nicely, warsaw is a b****. A blackbox that deserves to be reverse engineered by an expert. It is an terrible solution to a bad problem.
When I have some free time I will try to run the container using podman instead of docker. Podman plays nice with init/systemd inside the container and does not require privileged flag.
That would be great, @jsalatiel. Let us know if you get this to work.
Podman is not widely available as docker, but it's a start.
When I have some free time I will try to run the container using podman instead of docker. Podman plays nice with init/systemd inside the container and does not require privileged flag.
The podman can't run the wcef-docker actual docker-compose.yml... i think be the version of yml file
... ubuntu:20.04 docker image ...
I used the ubuntu in the past, but many people wanted to use debian, maybe has low footprint image
@juliohm1978 It worked on podman. I created a new repo. Thanks for your effort debugging. It does not need --privileged flags, although it requires 2 capabilities: CAP_AUDIT_WRITE ( on recent kernels ) and CAP_SYS_PTRACE ( this is probably to strace our data )
I decided to remove all the VNC requirements. Just like @rcassaniga I prefer pure X protocol.
@farribeiro I haven't tried your version with podman, but podman > 3.0 does support docker-compose.yml files by itself. ( not using podman-compose ). If you use podman-compose probably it will not work.
That is excellent! Works like a charm. Works with podman and docker.
But it still needs the usual sudo. I tried both rootless docker and rootless podman.
In rootless mode, I was not able to get the browser started because the mount volume /home/user/.Xauthority appears as root inside the container. The uid/gid mapping is different and my common host user gets mapped to root. You'd have to change permissions on the real /home/user/.Xauthority, but that'll probably mess up the X session for the host user.
Also, docker does is unable to run with just --cap-add CAP_AUDIT_WRITE --cap-add CAP_SYS_PTRACE. It still needs full --privileged.
Other than that, it works great. I'm thinking of using the same idea for dockerbb. It's a lot lighter and easier to use.
Thank you!
That is excellent! Works like a charm. Works with podman and docker.
But it still needs the usual
sudo. I tried both rootless docker and rootless podman.In rootless mode, I was not able to get the browser started because the mount volume
/home/user/.Xauthorityappears as root inside the container. The uid/gid mapping is different and my common host user gets mapped to root. You'd have to change permissions on the real/home/user/.Xauthority, but that'll probably mess up the X session for the host user.Also, docker does is unable to run with just
--cap-add CAP_AUDIT_WRITE --cap-add CAP_SYS_PTRACE. It still needs full--privileged.Other than that, it works great. I'm thinking of using the same idea for dockerbb. It's a lot lighter and easier to use.
Thank you!
It works rootless if you remove the .Xauthority mapping and just run 'xhost +' inside the host X session
I am running podman rootless and it was working seamlessly up to a couple weeks ago. I moved to a VM when it stopped working, to get things done.
In short:
- Works with podman rootless
- With --init (i.e. tini)
- Without --privileged, no sudo package inside container (we drop privileges, never acquire)
- With only capabilities: SETUID SETGID AUDIT_WRITE DAC_OVERRIDE CHOWN
- Copying XAUTHORITY to the stopped container, as it moves across boots, no xhost.
I switched to chromium since firefox stopped working in all containers I have. It worked for a while then warsaw stopped working. Chromium wants some dbus access which is possible to make available to it, but didn't manage to get it working again. Didn't strace this time though.
I'm using make instead of compose, but see no reason why it shouldn't work with podman-compose. docker-compose requires rootful podman atm.
For reference, I reworked to an openSUSE base: https://github.com/awerlang/containers/tree/master/warsaw, my wip is in the develop branch, it's an overhaul of browsers and GUI containers.
I don't expect to have bandwidth to debug the issue this week, but will keep an eye on it.
I don't know about my solution, is deprecated?
@juliohm1978 @jsalatiel @rcassaniga @awerlang
I do not think any solution should be deprecated. The more solutions we have the better.
I don't know about my solution, is deprecated?
@juliohm1978 @jsalatiel @rcassaniga @awerlang
We don't know yet why it stopped working, maybe it is requiring new capabilities or being started in a specific way, since about 2 weeks ago. Once we figure that out we can update any existings solutions, this one being quite good given it doesn't requires --privileged.
the @jsalatiel and @awerlang solutions are very similars... because using makefile instead of docker-compose.yml file
IIRC the @feaneron tried to put warsaw in the flatpak, but without success
don't know about my solution, is deprecated? No @farribeiro:) We just arrived here because of everyone's contribution.
On Tue, Apr 27, 2021 at 12:02 PM Fábio Rodrigues Ribeiro < @.***> wrote:
I don't know about my solution, is deprecated?
@juliohm1978 https://github.com/juliohm1978 @jsalatiel https://github.com/jsalatiel @rcassaniga https://github.com/rcassaniga @awerlang https://github.com/awerlang
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/farribeiro/wscef-docker/issues/93#issuecomment-827676253, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF5ISLK4ZXRUC3XDQQVK6V3TK3GW5ANCNFSM43NQFZVQ .
-- Rafael Cassaniga +55-15-9-8131-5200 @.***
Um link interessante para consulta
https://fedoramagazine.org/using-ansible-to-configure-podman-containers/
https://fedoramagazine.org/use-docker-compose-with-podman-to-orchestrate-containers-on-fedora/
I don't know if this issue still persists, but I have an automated tool using python selenium that uses warsaw with chrome, I had many problems with new versions of warsaw, instead of adding it directly from link to get the updated version in every build, I decided to pin an old version and add to my repository, It took me many hours to test the right version since I had to search for the right version in older images.
The warsaw version I'm using is pretty old, but still working flawless. Just a point, I don't need to use any X server on my image. If there's something I can help, it would be a pleasure.
Obrigado pelo interesse do projeto, mas não se sabe o problema persiste (preciso de novos testes) então o projeto foi abandonado porque não tem utilidade para os outros no thread (o primeiro objetivo) e para mim (usando celular)
Outros colaboradores, fazem um novo desenho deste projeto com outras opções e utilizando podman (duas soluções). Poucas vezes sei como usar o podman com docker-compose. Pode estar no caminho novamente. A propósito, este projeto foi originalmente desenvolvido para docker/docker-compose
Esta issue está aberta a comunicações e dicas de como aprimorar as soluções dos colaboradores.
Eu recomendo dar uma olhada nos projetos @awerlang e @jsalatiel
Espero que seja útil Atenciosamente Fábio
The warsaw version I'm using is pretty old, but still working flawless. Just a point, I don't need to use any X server on my image. If there's something I can help, it would be a pleasure.
Eu recomendo usar a ultima versão do warsaw
Abraços Fábio
IIRC the @feaneron tried to put warsaw in the flatpak, but without success
Eu acho que a maneira natural de continuar este projeto é transformar em flatpak. Mas warsaw é um daemon do sistema, preciso pensar em como empacotar isso.
Aliás ... É um problema também (o pacote) porque a solução requer compilar localmente
Pessoal, Lamento vou responder em português 🇧🇷 mesmo apesar da discussão estar toda em inglês 🇺🇸 uma vez que o warsaw talvez seja relevante só no Brasil mesmo. Meus comentários às mensagens do @fzamperin e @farribeiro. O problema ainda persiste sim e é com o warsaw, que, aparentemente, precisa ser lançado pelo init. Eu digo "aparentemente" porque não há documentação do warsaw e cheguei a essa conclusão pelas experiências minhas e o relato do @juliohm1978. Particularmente, eu não me sinto confortável em usar versões mais antigas do Warsaw porque já houve incidentes de segurança e mau funcionamento. E salvo engano ele roda com permissão de root. Eu uso regularmente o internet banking (prefiro-o para algumas atividades) e aproveitando o trabalho do pessoal deste fio 🧵 eu parti para uma solução rootless no-root usando podman. Com ele até consigo baixar arquivos (extratos, comprovante, etc..) e abri-los na maquina hospedeira.
https://github.com/rcassaniga/podman_bb
Um abraço a todos, Cassaniga
Oi @rcassaniga!
O warsaw realmente é um mistério. Das poucas coisas que sei a respeito é que ele é escrito em C++ e está cheio de validações internas para tentar garantir que está executando dentro do modo planejado pelos bancos. Segurança por obscurantismo nunca foi a melhor das práticas, mas enfim... é o que tem ai para usarmos :)
Tenho que gastar mais tempo no projeto para entender melhor o systemd. Ao que parece ele tem recebido melhorias para executar melhor em ambiente conteinerizado. Pode ter algumas features que podem ser aproveitadas, mas é difícil achar exemplos na Internet.
Boa sorte!
Atenção participantes desta thread... @rcassaniga / @jsalatiel / @fzamperin / @juliohm1978 / @awerlang
Eu atualizei a imagem base do projeto, porém não fiz testes. No commit https://github.com/farribeiro/wscef-docker/commit/efe953a76857c46b12470234f773caa93d78be1e
Atenciosamente, Fábio