Home | News | Download | Packages | Forum | Wiki | Github

[Solved] How to create lightweight containers

(Rubén Santos) #1


I wanted to play with the creation of lightweight containers to isolate a web browser, and looking at the forum I saw many of you using: https://github.com/arachsys/containers

I tried to follow the steps on the project’s README, but Im unable to get it working.

I did the following steps:

$ mkdir -p ~/containers/test
$ sudo xbps-install -S -R https://repo.voidlinux.eu/current -r ~/containers/test base-voidstrap
$ cd ~/containers/test
$ contain . /bin/bash

The command doesn’t output any error to the terminal nor prompts to the container shell.

I installed containers from the musl repo.

What Im doing wrong?

Telegram on musl

I haven’t seen anyone on the forums using it. Do you have links to them? It looks hackish. Try sandfox or docker.


Its the opposite of “hackish” if you mean it in a negative context.
If you mean “hackish” as in you have to write one or two shell scripts compared to some arbitrary configuration file then yes, it provides small tools that are best used together with simple shell scripts to bootstrap and boot, mount and control “containers”.
containers is a collection of small tools that are well designed, lightweight and very flexible.

$ mkdir /tmp/container
$ pseudo xbps-install -SR https://repo.voidlinux.eu/current -r /tmp/container base-voidstrap
$ contain /tmp/container /bin/bash
bash-4.4# ^D

Help creating package for Brother lpr

Compared to

sudo sandfox firefox

However the dev hasn’t done updates for years and seems to recommend firejail which is equally simple. I dunno about ‘container’ but haven’t seen any forum posts on it.


Firejail is a complex mess with a bad history of security issues, suid binary, allowed root access to everyone just by having firejail installed at some point.
Firejail has way too many features, all the extra X11 stuff, the profile parsing, I can’t even remeber all the features.

(Rubén Santos) #6

pseudo xbps-install doesn’t make anything and doesn’t output any error neither.

Is possible that im missing any dependecy or configuration in my system?

(Rubén Santos) #7

I just removed the package and reinstaled, the tools seems to work now.

I dont know what happened, none of the tools output anything in the first install.

Thank you anyways!


@Duncaen Thanks for the tip on firejail. I just knew IgnorantGuru to be reliable on security. He didn’t audit firejail. Has anybody audited ‘containers’? How does it compare to docker?

The browser mess is best attacked at the source. Containment is fine, but as you say, can be its own security problem.


I’m on void_musl and want to create a container running void_glibc and use firefox in it, attempting to watch Netflix.
I’ve followed your post here and the post from the advent of void. I have added firefox, mate-icon-theme. dejavu-fonts-ttf, alsa-tools and alsa-utils to the container.
I’m able to use the hosts network using contain -n and to use the host X-server by using xhost from outside the container. Firefox starts with minor issues, a Gtk-Warning**: Locale not supported by C library and a warning about addons.xpi WARN Add-on pug.experience@shield.mozilla.org is missing bootstrap method install.
What’s wrong then you may ask?
Well, I have no sound! Am I missing something inside the container? Or is there a way to make the container use the hosts sound system, in a similar way to the network above?
Any help would be appreciated.

EDIT: Wondering also what’s the best way to shutdown the container, network and xhost.

(oliver) #10

I can answer the xhost part :slight_smile:

[oliver@gaspar ~]$ xhost +local:                              
non-network local connections being added to access control list

[oliver@gaspar ~]$ xhost -local:
non-network local connections being removed from access control list


Cheers! I’ve figured that one out. Thanks!
If I get sound to work and a more graceful way of shuttting down the container, I’ll post the full process here.


I still haven’t figure out how to make the container use my sound card, but…
…here are the steps to get firefox running in a container.
After installing containers…

mkdir -p ~/container/firefox
pseudo xbps-install -SR https://repo.voidlinux.eu/current -MSr ~/container/firefox base-voidstrap
rm -r ~/container/firefox/etc/sv/agetty*
cp /etc/resolv.conf ~/container/firefox/etc

Now, boot the container

[pin@awesomevoidmusl ~]$ contain -n ~/container/firefox /bin/init
- runit: $Id: 25da3b86f7bed4038b8a039d2f8e8c9bbcf0822b $: booting.
- runit: enter stage: /etc/runit/1
=> Welcome to Void!
=> Mounting pseudo-filesystems...
mount: /sys: permission denied.
mount: /sys/kernel/security: mount point does not exist.
=> Loading kernel modules...

=> Starting udev and waiting for devices to settle...
starting version 3.2.5
=> Remounting rootfs read-only...
mount: /: permission denied.

Cannot continue due to errors above, starting emergency shell.
When ready type exit to continue booting.
# exit
=> Activating btrfs devices...
Scanning for Btrfs filesystems
=> Activating encrypted devices...
=> Checking filesystems:
=> Mounting rootfs read-write...
mount: /: permission denied.

Cannot continue due to errors above, starting emergency shell.
When ready type exit to continue booting.
# exit
=> Mounting all non-network filesystems...
=> Initializing swap...
=> Initializing random seed...
=> Setting up loopback interface...
RTNETLINK answers: Operation not permitted
=> Setting up hostname to 'void-live'...
/etc/runit/1: 13: /etc/runit/core-services/05-misc.sh: cannot create /proc/sys/kernel/hostname: Permission denied
=> Loading sysctl(8) settings...
* Applying /usr/lib/sysctl.d/void.conf ...
sysctl: permission denied on key 'kernel.core_uses_pid'
sysctl: permission denied on key 'fs.protected_hardlinks'
sysctl: permission denied on key 'fs.protected_symlinks'
sysctl: permission denied on key 'kernel.kptr_restrict'
sysctl: permission denied on key 'kernel.dmesg_restrict'
sysctl: permission denied on key 'kernel.perf_event_paranoid'
sysctl: permission denied on key 'kernel.kexec_load_disabled'
sysctl: permission denied on key 'kernel.yama.ptrace_scope'
* Applying /etc/sysctl.conf ...
install: cannot change ownership of '/run/utmp': Invalid argument
=> Initialization complete, running stage 2...
- runit: leave stage: /etc/runit/1
- runit: enter stage: /etc/runit/2
runsvchdir: default: current.

Once booted, open a new terminal and share the host x-server with the container

xhost +local:~/container/firefox

‘enter’ the container and install some fonts and firefox

sudo inject $(pgrep contain) /bin/bash
xbps-install dejavu-fonts-ttf firefox

As mentioned, still no sound… and no Netflix :disappointed_relieved: but, all the rest is working. My container is 856 MB in size, since I’ve installed all the alsa stuff as well, so far to no avail… Maybe I’ll take docker for a spin!:thinking:
To shutdown just close firefox, exit the container, unshare the x-server

xhost -

and close the terminals.
NOTE: This container only works on the network that was in use when creating it.

Vivaldi on x86_64-MUSL