mdouchement/zoom-us:latest won't start, as of 5.10.3.2778

[olberger]

I tried to launch it today, from an image downloaded with docker pull mdouchement/zoom-us:latest, and nothing happens.

Inside the container (docker run -it mdouchement/zoom-us:latest /bin/bash),

# cat /opt/zoom/version.txt
5.10.3.2778

Dunno what's wrong, but may attempt to debug a bit

[olberger]

$HOME/zoomus/.zoom/logs/zoom_stdout_stderr.log exhibits:

ZoomLauncher started.
Zoom path is: /opt/zoom
cmd line: 
Start subprocess: /opt/zoom/zoom sucessfully,  process pid: 49 
No PulseAudio daemon running, or not running as session daemon.
                             Class      App      Lib Possible Culprit Flags
                resip::Connection      648      648 
                      resip::Data       36       36 
                 resip::DnsResult     1080     1080 
                   resip::Headers        1        1 
          resip::MsgHeaderScanner       40       40 
                resip::SipMessage     5208     5208 
         resip::TransportSelector      864      864 
                     resip::Tuple      128      128 
              resip::UdpTransport     1144     1144 
          resip::GenericIPAddress       28       28 

zoom started.
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
zoom was exited due to a handled signal: 5 
ZoomLauncher exit.

[olberger]

It seems that running with --privileged would do... but I'm afraid of the consequences...

[mdouchement]

It gives root access to the container. I think that Zoom has change some network access.

You may have some input from https://github.com/jessfraz/dockerfiles/issues/350

[winterdeaf]

It appears that zoom is now spawning a chrome-sandbox (/opt/zoom/cef/chrome-sandbox). Therefore the same problems of dockerizing chrome apply (see jessfraz/dockerfiles#341).

Passing --security-opt seccomp=unconfined to docker or using this seccomp profile (which is essentially this one + statx) will fix the problem.

diff --git a/scripts/zoom-us-wrapper b/scripts/zoom-us-wrapper
index 8642b45..338365b 100755
--- a/scripts/zoom-us-wrapper
+++ b/scripts/zoom-us-wrapper
@@ -117,6 +117,7 @@ prepare_docker_device_parameters

 echo "Starting ${prog}..."
 ${SUDO} docker run -d \
+  --security-opt seccomp=./docker.json \
   ${ENV_VARS} \
   ${VIDEO_DEVICES} \
   --device /dev/dri \

[olberger]

Hmmm... One main interest of Dockerizing Zoom (for me at least) is to sandbox it from doing nasty thing on the user's machine... how's this affecting the effectiveness of this sandboxing ?

[clst]

I tried a lot with commandline parameters and QTWEBENGINE_CHROMIUM_FLAGS="--disable-seccomp-filter-sandbox" (also in /sbin/entrypoint.sh but was not successful. The commandline parameter --disable-seccomp-filter-sandbox works for teams but not for zoom.

So the seccomp profile @winterdeaf suggested is currently the best option. :(

EDIT: weirdly the latest image still doesn't run. But using 9e0dfd3cf61d and installing the latest zoom.deb does. I guess something breaks xcb in the latest one:

qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb.

[EvTheFuture]

When adding --env=QT_DEBUG_PLUGINS=1 to the docker command line when launching zoom, I get this extra information:

Cannot load library /opt/zoom/Qt/plugins/platforms/libqxcb.so: (libxcb-icccm.so.4: cannot open shared object file: No such file or directory)
QLibraryPrivate::loadPlugin failed on "/opt/zoom/Qt/plugins/platforms/libqxcb.so" : "Cannot load library /opt/zoom/Qt/plugins/platforms/libqxcb.so: (libxcb-icccm.so.4: cannot open shared object file: No such file or directory)"
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb.

No PulseAudio daemon running, or not running as session daemon.
libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null)
zoom was exited due to a handled signal: 6 
ZoomLauncher exit.