[BUG] Chromium doesn't open in Debian 13 Trixie

[xiaoleichen]

Is there an existing issue for this?

• [x] I have searched the existing issues

Current Behavior

docker-chromium stopped working after the host OS was upgraded from Debian 12 to 13. Chromium does not open at all.

Expected Behavior

Chromium should open on start and upon right clicking desktop and selecting chromium from the menu.

Steps To Reproduce

Run docker compose up -d on Debian 13

Environment

- OS: Debian 13
- How docker service was installed: docker compose:

services:
  chromium:
    container_name: chromium
    network_mode: host
    security_opt:
      - seccomp=unconfined
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
    volumes:
      - ${CONFIG_PATH}:/config
    devices:
      - /dev/dri:/dev/dri
    shm_size: 1gb
    restart: unless-stopped
    image: lscr.io/linuxserver/chromium:kasm

CPU architecture

x86-64

Docker creation

docker compose up -d

Container logs

[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: ca5e0ca1-ls9
Build-date: 2025-08-27T09:34:30+00:00
───────────────────────────────────────
    
..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+....+...+..+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+...+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..........+...+......+...+...........+......+.+........+....+...+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..........+....................+...+...+.+.....+.+........+.+........+...+.........+.+........+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
**** adding /dev/dri/renderD128 to video group sgx with id 105 ****
**** adding /dev/dri/card0 to video group video with id 44 ****
[custom-init] No custom files found, skipping...
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.

Xvnc KasmVNC 1.3.3 - built Jul 12 2025 19:07:31
Copyright (C) 1999-2018 KasmVNC Team and many others (see README.me)
See http://kasmweb.com for information on KasmVNC.
Underlying X server release 12101007

[ls.io-init] done.
[mi] mieq: warning: overriding existing handler (nil) with 0x55e5ce386290 for event 2
[mi] mieq: warning: overriding existing handler (nil) with 0x55e5ce386290 for event 3
Obt-Message: Xinerama extension is not present on the server
17
/usr/bin/wrapped-chromium: line 29:   365 Trace/breakpoint trap   (core dumped) ${BIN} --no-first-run --password-store=basic --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --start-maximized --user-data-dir "$@" > /dev/null 2>&1

ERROR: openbox-xdg-autostart requires PyXDG to be installed
 2025-08-30 16:15:14,548 [INFO] websocket 0: got client connection from 127.0.0.1
 2025-08-30 16:15:14,568 [PRIO] Connections: accepted: @192.168.1.209_1756595714.549280::websocket
/usr/bin/wrapped-chromium: line 29:   404 Trace/breakpoint trap   (core dumped) ${BIN} --no-first-run --password-store=basic --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --start-maximized --user-data-dir "$@" > /dev/null 2>&1
 2025-08-30 16:15:21,636 [PRIO] Connections: closed: @192.168.1.209_1756595714.549280::websocket (Clean disconnection)

[github-actions[bot]]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[xiaoleichen]

I can only open chromium with --no-sanndbox included in the command.

[xiaoleichen]

Seem to be the same issue as https://github.com/linuxserver/docker-chromium/issues/59

[thelamer]

So yes, you should not be passing this option as it is very insecure and it is in the example only to show people with old hosts how to get stuff running.

The problem is that it looks like in Trixie (and likely the next Ubuntu releases) userns is denied in the docker-default apparmor profile.

To run chromium with true sandboxing you would need both --security-opt seccomp=unconfined and --security-opt apparmor=unconfined

This is not a kernel thing userns is enabled kerner level for unprivved users by default:

sysctl -a |grep userns
kernel.unprivileged_userns_apparmor_policy = 1
kernel.unprivileged_userns_clone = 1

So I think the most likely thing we should do is simply stop supporting this configuration in general and always pass no-sandbox in the docker container regardless of if the container is unconfined or not.

The risk of a tab leaking to another tab is much less than users opening up their host to the container.

But then it is because you are all just pasting in the example it makes me pause because unconfined plus no sandboxing is a recipe for disaster. Then there is no protection at all.

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.