Bootstrap your container

Assuming you installed firefox in a container ~/containers/firefox. On first run I had Segmentation faults until I got st working. I suspect it’s something to do with fonts!

Setup /etc/systemd/system/systemd-nspawn@firefox.service.d/override.conf

Mine looks like:

[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn \
						--bind-ro=/home/hendry/.Xauthority:/home/hendry/.Xauthority \
						--bind=/home/hendry/.config:/home/hendry/.config \
						--bind=/tmp/.X11-unix \
						--bind=/dev/snd \
						--bind=/run/user/1000/pulse:/run/user/host/pulse \
						-D /home/hendry/containers/firefox \
						--bind /dev/shm \
						--bind /etc/machine-id \
						--network-veth -b

Setup systemd-networkd & OpenVPN

I use a container networking configuration like so /etc/systemd/network/80-container-host0.network.

My VPN configuration lives in ~/containers/firefox/etc/openvpn/uk.conf and is invoked by starting openvpn@uk.service.

Sound

This is the most difficult part! After hours of trial and error, attempting to decipher cryptic error messages, I started pulseaudio with --disable-shm=true and things started to work!

I’ve tweaked /usr/lib/systemd/user/pulseaudio.service with that option.

sudo machinectl shell hendry@firefox --setenv=DISPLAY=:0 --setenv=PULSE_SERVER=unix:/run/user/host/pulse/native

Note that my $USER is hendry which matches an account created also called hendry in the container. This is the only way I have figured out how to get pulseaudio & sound working!!

Firefox fails wtih ALSA lib confmisc.c:768:(parse_card) cannot find card '0', but I’ve found Chromium to work.

TODO

This setup needs work. Especially the sound part is very cumbersome. Why is it so hard to share video/sound devices? FFS!

OpenVPN is a but clumsy in the sense there is no way to quickly tell I’m on the VPN and everything is OK.

Word about network accounting

Assuming your container is called “firefox” like mine:

grep firefox /proc/net/dev
ve-firefox:  407205    2396    0    0    0     0          0         0  3732997    2814    0    0    0     0       0          0

So ~4 megabytes for a non-interactive Desktop session for BBC news. Notice from the point of view of the host, the data was transmitted - to the container!

That’s why /proc/net/dev’s Receive and Transmit might be flipped around.