Stable Containerized Browser

By default Chromium on OpenBSD (now not so) currently obtained OpenBSDโ€™s unveil(2) strengthen. Meaning that of you scamper Chromium with --allow-unveil flag then this will in all probability in all probability possibly very properly be refrained from from accessing anything diversified than the ~/Downloads list. No such thing on FreeBSD exists. Firefox or Chromium comprise get entry to to all recordsdata client can be taught โ€“ even to your map sshd(8) keys and even worse to your non-public keys laying in the ~/.ssh dir. On FreeBSD attributable to its FreeBSD Jails know-how we are able to blueprint staunch containerized browser with handiest get entry to to the desired list. On my map its the ~/accumulate dir.

It’s in all probability you’ll possibly comprise considered making an strive to test diversified desktop connected articles in the FreeBSD Desktop series on the FreeBSD Desktop page.

We can delivery with /etc/penal advanced.conf file configuration. For the file โ€“ we are able to be using /penal advanced for our FreeBSD Jails main dir. I could possibly possibly even use /penal advanced dir for the โ€˜spoiledโ€™ FreeBSD variations tarballs as a helpful location. As I use address residence I will use for our containerized browser. Truly feel free to desire diversified IP from which it is doable for you to to achieve the Net. The /etc/penal advanced.conf is shown below. One thing to existing right here. As I am using WiFi wlan0 interface I comprise place that into the Jail configuration. At the same time as you use LAN interface (shall we bid em0) then place that as a substitute into this Jail config. As you gape from the instance below we are able to be using Firefox browser in out instance.

root@host # cat /etc/penal advanced.conf

# GLOBAL = "/bin/sh /etc/rc";
  exec.quit = "/bin/sh /etc/rc.shutdown";
  exec.consolelog = "/var/log/jail_${title}_console.log";
  host.hostname = ${title};
  route = /penal advanced/${title};

  firefox {
    devfs_ruleset = 30;
    ip4.addr =;
    interface = wlan0;
    mount.fstab = "/penal advanced/firefox/etc/fstab";

As you can gape we are able to even be using devfs(8) rules in the /etc/devfs.rules file โ€“ shown below. This configuration is needed to comprise get entry to to sound(4) in our FreeBSD Jail. At the same time as you attain now not want sound then you can delete devfs_ruleset = 30; from the /etc/penal advanced.conf file and also attain now not add anything in the /etc/devfs.rules file.

root@host # cat /etc/devfs.rules
add route 'mixer*' unhide
add route 'dsp*'   unhide

If we are about to part the ~/accumulate dir with our containerized browser then we comprise to in some way add that details to our FreeBSD Jail. We can use the FreeBSDโ€™s mount_nullfs(8) uncover to mount our in the intervening time existing ~/accumulate dir into our FreeBSD Jail. We can use following /penal advanced/firefox/etc/fstab for that procedure.

root@host # cat /penal advanced/firefox/etc/fstab
#SOURCE         #MNT                                      #TYPE   #OPTS       #DUMP/PASS
/details/accumulate  /penal advanced/firefox/usr/home/vermaden/accumulate  nullfs  rw,noatime  0 0

Of course you attain now not comprise to part any list with your containerized browser.

It’s in all probability you’ll possibly possibly possibly honest as properly would desire to blueprint this jails delivery everytime you boot your map. To attain that add below lines to the /etc/rc.conf file as shown below.


As I use FreeBSD 13.0-RELEASE I could possibly possibly possibly be using also the FreeBSD 13.0-RELEASE Jail for that procedure. At the same time as you are going to be working shall we bid FreeBSD 12.3-RELEASE then blueprint obvious you are going to use FreeBSD 12.3-RELEASE Jail. The Jail version wants to be lower then the host map version. We can now safe wanted FreeBSD โ€˜spoiledโ€™ file and unpack it interior /penal advanced/firefox dir where our container would live. We can also configure several diversified traditional recordsdata equivalent to /etc/resolv.conf or /etc/hosts recordsdata.

root@host # mkdir -p /penal advanced/BASE /penal advanced/firefox /penal advanced/firefox/usr/home/vermaden/accumulate

root@host # safe -o /penal advanced/BASE/13.0-RELEASE-spoiled.txz

root@host # tar -xzvf /penal advanced/BASE/13.0-RELEASE-spoiled.txz -C /penal advanced/firefox

root@host # echo nameserver > /penal advanced/firefox/etc/resolv.conf

root@host # echo firefox >> /penal advanced/firefox/etc/hosts

root@host # cat << EOF > /jail/firefox/etc/fstab
#SOURCE         #MNT                                      #TYPE   #OPTS       #DUMP/PASS
/data/download  /jail/firefox/usr/home/vermaden/download  nullfs  rw,noatime  0 0

We will now start our fresh FreeBSD Jail.

root@host # service jail onestart firefox

We can now also see two new mounts in the mount(8) output.

root@host # mount | tail -2
/data/download on /jail/firefox/usr/home/vermaden/download (nullfs, local, noatime)
devfs on /jail/firefox/dev (devfs)

root@host # mount -p | tail -2 | column -t

/data/download /jail/firefox/usr/home/vermaden/download nullfs rw,noatime 0 0

devfs /jail/firefox/dev devfs rw 0 0

You may want to update the FreeBSD version to the most up to date one with freebsd-update(8) commands.

root@host # freebsd-update -b /jail/firefox fetch
root@host # freebsd-update -b /jail/firefox install

Before installing anything we will first switch to the latest branch for the pkg(8) packages to have most up to date software. We will then process to installing the Firefox package. We will also need x11/xauth package for X11 Forwarding process.

root@host # sed -i '' s.quarterly.latest.g /jail/firefox/etc/pkg/FreeBSD.conf

root@host # grep latest /jail/firefox/etc/pkg/FreeBSD.conf
  url: "pkg+${ABI}/latest",

root@host # jls
   JID  IP Address      Hostname                      Path
     1      firefox                       /jail/firefox

root@host # jexec 1

(root@jail) # pkg install -y firefox xauth

We will now enter our FreeBSD Jail again for several other needed tasks for our containerized browser to be working. First is creating inside similar user as you currently use inside. Especially with the same UID/GID to have files with proper permissions in your real ~/download directory instead of files with other UID/GID that you will have to chown(8) with root user. As my vermaden user uses UID/GID 1000 I will also use that inside. I will also set simple password that You will only use once โ€“ to copy your public SSH key there.

root@host # jexec 1

(root@jail) # echo your-username-password-goes-here | pw user add -u 1000 -n vermaden -m -s /bin/sh -h 0

Now we need to run /usr/local/bin/dbus-uuidgen --ensure once to make sure DBUS is initialized properly. Firefox and many other apps would not start if we omit that step.

(root@jail) # /usr/local/bin/dbus-uuidgen --ensure

Now the sshd(8) daemon. The only thing we need to do is to add it to the system startup and also add X11UseLocalhost no option to its config file.

(root@jail) # sysrc sshd_enable=YES
sshd_enable: NO -> YES

(root@penal advanced) # echo X11UseLocalhost no >> /etc/ssh/sshd_config

(root@penal advanced) # carrier sshd delivery
Producing RSA host key.
2048 SHA256:VnrvItf0tl738C5Oc2St6T63/6o8zaDlfUskB+NrElo root@firefox (RSA)
Producing ECDSA host key.
256 SHA256:ZAjcAGqlrVwvY+J9MuVzErx9QUOqIOJE3nJX/Oqwtpk root@firefox (ECDSA)
Producing ED25519 host key.
256 SHA256:JdzUql2D2+X8iBn3c1jWDHQRNQMKqWGOcL4J16fIX0E root@firefox (ED25519)
Performing sanity test on sshd configuration.
Starting sshd.

Copying your public SSH key is now not compulsory but while you leave out this step then you are going to comprise to form your FreeBSD Jail client password each time you are going to desire to delivery your staunch Firefox occasion.

vermaden@host % ssh-reproduction-id -i ~/.ssh/id_rsa vermaden@

Now you can delivery your containerized browser. I comprise added some priceless flags for ssh(1) client devour compression with -C and quickest supported encryption with -c aes128-ctr possibility. The -X is for X11 Forwarding possibility. I also added GDK_SYNCHRONIZE=1 to blueprint Firefox cry much less ๐Ÿ™‚

vermaden@host % ssh -C -c aes128-ctr -X vermaden@ env GDK_SYNCHRONIZE=1 firefox --original-occasion

Now without password you are going to honest peaceable gape original Firefox occasion.


I will now strive to play some random video. I’m able to now not point to you that from an image however the sound also works ๐Ÿ™‚


Identical setup will most definitely be created for diversified browser if Firefox is now not your browser of quantity pointless to mutter. At the same time as you are going to be outlandish how noteworthy residence it makes use of its about this:

root@host # du -smx /penal advanced/BASE/13.0-RELEASE-spoiled.txz /penal advanced/firefox 

181 /penal advanced/BASE/13.0-RELEASE-spoiled.txz

1603 /penal advanced/firefox

root@host # du -smx -A /penal advanced/BASE/13.0-RELEASE-spoiled.txz /penal advanced/firefox

181 /penal advanced/BASE/13.0-RELEASE-spoiled.txz

2601 /penal advanced/firefox

I also added the -A flag in 2nd the du(1) uncover to point to you the draw noteworthy more residence might possibly possibly possibly be dilapidated without the ZFS LZ4 compression.


Be a part of the pack! Be a part of 8000+ others registered customers, and get chat, blueprint groups, put up updates and blueprint friends around the arena!



Hey! look, i give tutorials to all my users and i help them!