Docker, Arch Linux, and User Namespaces

Docker, Arch Linux, and User Namespaces

I recently tried to run Jess Frazelle's Chrome Docker image, she explains how to do that here. Whilst there is a little bit of understanding needed with what's going on (such as passing X11 through from the host to the container), it's pretty simple.

However, Chrome seemed to break for me every time. At first I couldn't work it out, but help in this Issue Thread showed that the lack of User Namespacing in my kernel was the problem.

The stock Arch Linux Kernel for some reason doesn't seem to have User Namespacing built in. Chrome needs this. The reason Chrome needs this is that the sandboxing security feature needs to utilise namespacing segregation to isolate web page processes. The idea being if they can't interact with anything outside the container, it minimises risk to the other processes on the system.

Unfortunately to enable User Namespacing, you have to enable the feature in a kernel config file and rebuild your Kernel. This isn't an easy process but the Arch Build System can help.

To test you've got User Namespacing enabled successfully, check zgrep CONFIG_USER_NS /proc/config.gz it should return CONFIG_USER_NS=y. Anything else means it is not enabled.

My config.gz for Kernel 4.2.5-1 is here

The image below shows I've got Chrome running in Docker fine now. You can also tell from Archey that I'm running the custom kernel.

Picture of Chrome Running

Using UFW on Fedora

Using UFW on Fedora

When switching to Fedora I was disappointed to find that there was no support for using Uncomplicated Firewall, something I enjoyed on Arch Linux. Although it is not in the Fedora repos, it can still be installed and used.

  • Download the UFW source code from Launchpad
  • Unpack and install the source code. Do this with the traditional 'Untar, Configure, Make'. If you are unfamiliar with compiling software from scratch, the README in the download explains, and a quick google will explain further.
  • Once installed, run systemctl stop iptables to stop the regular iptables firewall process. Do the same for any Fedora Firewall tools like FirewallD systemctl stop firewall.
  • Enable UFW! sudo ufw enable
  • Add your rules as usual! e.g ufw allow 22/tcp, ufw limit 22/tcp