> Is there perhaps a better way to run Firefox in a Docker container?

You could always build your container from a glibc distro and then just download and use the official binaries from Mozilla.

Why would you run Firefox in a Docker container?

Possibly for generating previews remotely or with different configurations.

Theoretically, so that Firefox doesn't have trivial access to other files available to my user.

Running it as a different user should suffice.

Anyway, the problem alluded to is probably X11. Any GUI application will be able to do things like sniffing your keyboard and clipboard data.

It's hard to do right (but of course isn't reason to not run untrusted applications with low privileges) and one of the things Wayland set out to improve.

You can run it in a separate vnc session as well to get isolation from X11, but that's a PITA.

You can run GUI apps from docker?

jessfraz has a great collection of Dockerfiles for various applications: https://github.com/jessfraz/dockerfiles

x11docker provides tooling: https://github.com/mviereck/x11docker

It takes a little configuration to allow X11 access, but yeah. https://github.com/woahbase/alpine-firefox

Heck, Qubes OS https://www.qubes-os.org/ even runs GUI apps from separate Xen VMs.

Yes. See also my other reply to basically the same question: https://news.ycombinator.com/item?id=21998987

You can run GUI apps across a network, so why not?

ah duh, forgot about how X11 works for a moment.

Have you looked at firejail?

I have not. How does it compare, particularly for applications that need X11 to usefully function?

Way easier to use. For X: https://firejail.wordpress.com/documentation-2/x11-guide/

EDIT: also, https://wiki.archlinux.org/index.php/Firejail#Firejail_with_...

Automated Acceptance Tests is one use of Firefox inside docker.

We do that both for Chrome and Firefox.

Is it possible to get it working with GUI or are you using it for automation?

    git clone https://github.com/inetknght/docker-firefox
    cd docker-firefox
    docker build --tag inetknght-firefox:latest $(pwd)
    docker run --rm -ti -v /tmp/.X11-unix:/tmp/.X11-unix --user $(id -u):$(id -g) inetknght-firefox:latest

Remember though that forwarding your X11 session is basically handing over keys to the kingdom. If something breaks out of the javascript sandbox and utilizes the exposed X11 socket it'll be as if it wasn't inside of a container anyway. On the other hand, that would be a problem anyway outside of a container so I don't see any increased risk compared to running Firefox directly on the host.

I do this to reset Firefox settings on every startup of the container and to have a consistent way for namespacing the filesystem and network (instead of using a Firefox plugin) vs doing the same for other applications too (for example, an IDE).

I really disagree with Mozilla's default settings and want to eventually configure Firefox differently. For example, I've mentioned on previous posts that I strongly disagree with Pocket. Others talk about what the new page should be; I think it should be about:blank. I also want to disable autofill. And I want to have a way to import identities into Firefox for TLS client authentication. There's a ton of other options I want to change as well. I just need to take some time to figure out how.

> default settings

You can override these at the "system" level.

    $ cat /etc/firefox/syspref.js
    // This file can be used to configure global preferences for Firefox
    // Example: Homepage
    //pref("browser.startup.homepage", "http://www.weebls-stuff.com/wab/");
    
    pref("general.smoothScroll",false);
    pref("general.autoScroll",true);
    pref("browser.search.suggest.enabled",false);
    pref("browser.ctrlTab.recentlyUsedOrder",false);
    pref("browser.startup.page", 3);  //http://kb.mozillazine.org/Browser.startup.page

> You can override these at the "system" level.

I am not at all interested in a host system level change because a system package can just as easily overwrite my changes there. That occurs frequently enough with other packages (eg, GNOME).

However, I think this is useful information to put into the Dockerfile and make that the system level changes. Thanks!

Yeah, I put "system" in quotes precisely because I figured you'd do it via COPY :)

Honest question: Does it matter? Wouldn't the containerization protect you from the vulnerability?

> Does it matter?

Yes

> Wouldn't the containerization protect you from the vulnerability?

Running javascript even in a browser is plenty enough to extract information via Spectre and Meltdown. Javascript which can escape the browser sandbox can escape a container too.

A container won't protect you from spectre and meltdown.