Running Brave in a Docker Container
Security minded users often run Docker to create an additional sandbox around an untrusted application running on their system. Web Browsers are among the most untrusted applications we run today. Here’s how to setup the Brave Browser to run in Docker.
To paraphrase T.S. Eliot, ‘good coders borrow and great coders steal.’ So I’ll be borrowing from Jess Frazelle’s work on running Chromium in Docker and using her seccomp profile. This specifically provides the list of system calls that Chromium or in our case Brave can run in the Docker container.
Install and Configure Docker
You will first need to install Docker on your machine and make sure the daemon
is running. To verify your system is configured to run Docker, try running the
Brave in Docker
In order to run Brave in Docker clone the brave-github GitHub repository.
The Dockerfile in this repository uses a basic Fedora image to install Brave from the release channel RPM repository.
Follow these steps to setup additional prereqs:
- Change into the brave-docker directory after cloning:
- Next, you’ll need to download the seccomp profile from here:
wget https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json -O chrome.json
- Add xhost permissions for your user using the command (It’s probably good to come up with a more restrictive method than opening up xhost to all clients.):
Building the Docker image
To build the image, run:
You can use any tag you like, just replace the
-t argument above.
To list your image after building, run the command:
Running the container
To run Brave in the image you built, use the
docker run command:
It will default to using UID/GID 1000 for the
brave user in the container.
This will allow you to mount your
~/Download directory as a volume in the
container, in order to download files as you would using a browser normally in
your environment. If you need to change the UID/GID, pass the flag
--build-arg UID_GID=YOUR_UID to the
docker build command in the previous section.