Standalone debug containers not working when Docker daemon has "userns-remap" enabled

[schmunk42]

Meta -

Image(s):
Tested with standalone-firefox-debug

Docker-Selenium Image Version(s):
2.53.1, 3.11.0

Docker Version:
18.02.0-ce

OS:
Arch Linux (Antergos)

Expected Behavior -

Enable userns-remap on the daemon, Selenium container should run normally; not affected by https://docs.docker.com/engine/security/userns-remap/#user-namespace-known-limitations

Actual Behavior -

• VNC connections are broken (password check failed)
• Firefox can't open profile files

At least the broken VNC can be hotfixed by exec'ing into the container and give permissions of the password file to seluser,

Related:

• User permissions error inside container while starting hub docker image #535
• User permissions error in non-debug images (Chrome and Firefox) #405

Workaround:

• use userns_mode: host with docker-compose (for Selenium v3.*)

[rlgomes]

Actual behavior:

• Chrome downloads to an external volume fail because of permissions but in your tests you may actually see a download dialog popup and after accepting to save manually you'll see the permission error.

[diemol]

Hi @schmunk42,

After reading the link, I am not sure how to proceed, is this a common case?

[schmunk42]

Hard to tell if it's common, but IMO containers should not be affected by this setting.
Selenium was the only one I saw with this issue.

[diemol]

This seems to be the same thing that happens in environments like OpenShift, therefore, in theory #787 would fix this issue.

[diemol]

#787 was merged and released already, was this solved for you?

[schmunk42]

I've never tried again with the above option...

[diemol]

I'll close this one and in case you see any issues, please feel free to reopen.