I am trying to get Chrome to run in a docker container and it appears that Google has changed how they do sandboxing so the examples I’ve found on line (e.g., uber docker master Jess Frazelle: https://github.com/jfrazelle/dockerfiles/blob/master/chrome/stable/Dockerfile) no longer work. They throw various errors like “Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted” .
Question 1: does anyone have a working dockerfile example that uses chrome without messing with the kernel?
Question 2: If not, does anyone have a clear approach to adding capabilities like user namespaces to an existing kernel (or adding mthem in during the original build)? Ideally I’m hoping to use Debian Jessie or Stretch and then I assume recompiling the kernel?
Looking at the thread on Jess’s GH repo it seems that Chrome wants to create its own user namespace sandbox which is not supported by some kernels. Usually capabilities refer to things like CAP_NET_ADMIN which define privileges of individual processes, e.g. to “spy” on the network traffic. You might be thinking of kernel configuration options, which is what’s needed here and would require a kernel compile and re-boot.
I’d be surprised to find out that user namespace remap would help the problem. It seems likely to only make any permissions issues that you’re having worse since you’re no longer “true root” in the container.
I’d suggest @zixia’s --no-sandbox fix if it works and you’re not feeling particularly ambitious.