I am trying to get Chrome to run in a docker container and it appears that Google has changed how they do sandboxing so the examples I’ve found on line (e.g., uber docker master Jess Frazelle: https://github.com/jfrazelle/dockerfiles/blob/master/chrome/stable/Dockerfile) no longer work. They throw various errors like “Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted” .
Additional threads suggest adding --userns-remap to the docker daemon (including https://blog.docker.com/2016/02/docker-engine-1-10-security/), but my sense is capabilities need to be turned on in the kernel (https://github.com/jfrazelle/dockerfiles/issues/17 and https://github.com/jfrazelle/dockerfiles/issues/65#).
Question 1: does anyone have a working dockerfile example that uses chrome without messing with the kernel?
Question 2: If not, does anyone have a clear approach to adding capabilities like user namespaces to an existing kernel (or adding mthem in during the original build)? Ideally I’m hoping to use Debian Jessie or Stretch and then I assume recompiling the kernel?
Help appreciated…PS I’m running docker 1.11.2