Docker Community Forums

Share and learn in the Docker community.

Docker user namespaces


(Madog) #1

Hi All:

I am trying to get Chrome to run in a docker container and it appears that Google has changed how they do sandboxing so the examples I’ve found on line (e.g., uber docker master Jess Frazelle: https://github.com/jfrazelle/dockerfiles/blob/master/chrome/stable/Dockerfile) no longer work. They throw various errors like “Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted” .

Additional threads suggest adding --userns-remap to the docker daemon (including https://blog.docker.com/2016/02/docker-engine-1-10-security/), but my sense is capabilities need to be turned on in the kernel (https://github.com/jfrazelle/dockerfiles/issues/17 and https://github.com/jfrazelle/dockerfiles/issues/65#).

Question 1: does anyone have a working dockerfile example that uses chrome without messing with the kernel?

Question 2: If not, does anyone have a clear approach to adding capabilities like user namespaces to an existing kernel (or adding mthem in during the original build)? Ideally I’m hoping to use Debian Jessie or Stretch and then I assume recompiling the kernel?

Help appreciated…PS I’m running docker 1.11.2


(Huan LI) #2

I have the same issue, and I use ‘–no-sandbox’ chrome args to make it work.


(Nathan Le Claire) #3

Looking at the thread on Jess’s GH repo it seems that Chrome wants to create its own user namespace sandbox which is not supported by some kernels. Usually capabilities refer to things like CAP_NET_ADMIN which define privileges of individual processes, e.g. to “spy” on the network traffic. You might be thinking of kernel configuration options, which is what’s needed here and would require a kernel compile and re-boot.

I’d be surprised to find out that user namespace remap would help the problem. It seems likely to only make any permissions issues that you’re having worse since you’re no longer “true root” in the container.

I’d suggest @zixia’s --no-sandbox fix if it works and you’re not feeling particularly ambitious.


(Kart42) #4

I am successfully running Chromium 61.0.3163.100 inside docker on alpine3.7 using the following python code:

from selenium import webdriver
chromeOptions = webdriver.ChromeOptions()
chromeOptions.add_argument("--headless")
chromeOptions.add_argument("--no-sandbox")
chromeOptions.add_argument("--disable-gpu")
driver = webdriver.Chrome(chrome_options=chromeOptions)
driver.get(url)

without any tweaks (e.g. docker run, kernel). Alpine has packages for chrome and chrome webdriver.
I love Alpine (in a platonic way).