@spasoye
Well, your solution shouldn’t have worked. I will confess to not knowing what --security-opt does. “secomp=unconfined” sounds pretty dangerous.
Yes, libasound2 and alsa-utils are always good to add.
A container is like state-run media in a country run by a dictator. It only broadcasts what the dictator tells it.
When you issue the docker command you are the dictator. The Toradex documentation isn’t really good at explaining this. Maybe there is one page that makes total sense of everything, but after roughly six months of looking through all of the circular links, I have never found it.
docker run --rm -it --name=bamby
#
# access to uarts
#
--device=/dev/verdin-uart1 --device=/dev/verdin-uart2
#
# access to CODEC
#
--device=/dev/snd
#
# mount anything found in /media under /media/torizon owned by torizon
#
--mount type=bind,source=/media,target=/media/torizon,bind-propagation=shared
#
# use the same tmp and dbus as the host
#
-v /tmp:/tmp -v /var/run/dbus:/var/run/dbus
#
# stuff nobody understands but always includes
#
-v /dev/galcore:/dev/galcore --device-cgroup-rule='c 199:* rmw'
#
# your container
#
seasonedgeek/my_beautiful_container
#
# a bash shell for the interractive mode
#
bash
When you mess with --privileged or --security-opt your container isn’t contained. It can now reach willy-nilly out into the host. Definitely something you do not want chromium to be able to do! Few things more insecure than a Web browser.
Just a couple of nits:
It seems that you have --virtual-keyboard listed twice.
Unless you mount some media anything the browser downloads won’t be accessible via the host. That may be what you want, I don’t know. Just passing the information along.
It took me a while to wrap my noggin around this as well.
A container must be viewed and treated like state-run media. It only gets what it gets, does what you tell it, and can be completely replaced at a moments notice.
The moment you give it any kind of --priv, it becomes “free press” and can do whatever it wants to the host.
The point of the container is to protect the host from both evil and reality.