问题
Im trying to run google-chrome --headless inside a docker container as a non-root user to execute some tests. Everytime Im trying to start it, it throws following error:
google-chrome --headless
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted Failed to generate minidump.Illegal instruction
Its a docker container running in k8s cluster. Operating system is Ubuntu 16.04.
Namespaces are enabled, user is non-root
I do not want to use --no-sandbox option as this is a security issue.
I cannot use docker run --security-opt=syscomp:unconfined as its being deployed using helm.
Is there a system permission missing that I need to setup for chrome within the container itself?
回答1:
After researching extensively internet I think I found the answer:
Sandboxing For security reasons, Google Chrome is unable to provide sandboxing when it is running in the container-based environment. To use Chrome in the container-based environment, pass the --no-sandbox flag to the chrome executable
So it looks like there is no better solution than --no-sandbox for me, even though its not being very secure, there are people on the internet claiming that it is still safe to use "--no-sandbox" as its running within container which is extra protected any way.
回答2:
Although this doesn't answer your question, since it you can't set security-opt, this is still a good solution for other people with a similar problem finding the question.
Download this chrome.json file, which contains a custom security profile.
Use the security profile with --security-opt seccomp=path/to/chrome.json or with docker-compose:
# docker-compose.yml
version: '3'
services:
<service name>:
#
# the service configuration
#
security_opt:
- seccomp=<path to downloaded chrome.json>
see https://stackoverflow.com/a/53975412/8678740
来源:https://stackoverflow.com/questions/59087200/google-chrome-failed-to-move-to-new-namespace