Currently, I have a web snapshot application, which uses headless chrome to navigate and capture a snapshot of a web page.
The flow is: Screenshot (Spring Boot App using Selenium) -> Chromedriver -> Chrome Browser
Now, I want to Dockerize this to run in a cloud (prod) environment. So, we have a CentOS image with Chromedriver, Chrome and the Screenshot application installed.
When I try to run Chrome in Docker as a non-root user, I get the error:
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
As I understand, this issue is Docker not allowing access to “setns” by default.
There are a few workarounds that I know of:
Run the container with: --privileged
Obviously, this one is BAD, since it gives root access/privileges to the host system. So, not an option.
Run with: --cap-add SYS_ADMIN
As I understand, this too, is bad, since it gives too much privilege to the docker container. So, not an option.
Run with: --security-opt seccomp:unconfined
Works. But again, maybe too loose?
Run with: --security-opt seccomp:./chrome.json ( using Jess Frazelle’s chrome.json file: i.e. https://github.com/jessfraz/dotfiles/blob/master/etc/docker/seccomp/chrome.json )
Works. But is this safe for a production environment?
I’ve seen mention of turning on user namespace support in the kernel?
How would I do this in CentOS? I’m not necessarily against using another flavor of Linux (e.g. Ubuntu), if that makes it easier. Does this option eliminate the need for a custom seccomp file?
Are there any other options that I’m missing? Any concerns about security here? I obviously don’t want to open up a host machine to any security risks.
Thanks in advance.