Dockerizing Chrome Security Questions


Currently, I have a web snapshot application, which uses headless chrome to navigate and capture a snapshot of a web page.

The flow is: Screenshot (Spring Boot App using Selenium) -> Chromedriver -> Chrome Browser

Now, I want to Dockerize this to run in a cloud (prod) environment. So, we have a CentOS image with Chromedriver, Chrome and the Screenshot application installed.

When I try to run Chrome in Docker as a non-root user, I get the error:

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

As I understand, this issue is Docker not allowing access to “setns” by default.

There are a few workarounds that I know of:

Run the container with: --privileged

Obviously, this one is BAD, since it gives root access/privileges to the host system. So, not an option.

Run with: --cap-add SYS_ADMIN

As I understand, this too, is bad, since it gives too much privilege to the docker container. So, not an option.

Run with: --security-opt seccomp:unconfined

Works. But again, maybe too loose?

Run with: --security-opt seccomp:./chrome.json ( using Jess Frazelle’s chrome.json file: i.e. )

Works. But is this safe for a production environment?

I’ve seen mention of turning on user namespace support in the kernel?

How would I do this in CentOS? I’m not necessarily against using another flavor of Linux (e.g. Ubuntu), if that makes it easier. Does this option eliminate the need for a custom seccomp file?

Are there any other options that I’m missing? Any concerns about security here? I obviously don’t want to open up a host machine to any security risks.

Thanks in advance.

So, I figured out how to get it to work with minimal changes to the default seccomp file:

With Jess’ file, everything works fine.

But, I compared Jess’ chrome.json to the default.json. Looks like Jess adds 11 new syscalls, and removes 12 of the defaults.

So, I took the default.json file and added all 11 of the new syscalls. It worked. Then, I removed items 1 by 1, to determine what was needed and what wasn’t

I determined that only 2 of the items were necessary (for me, anyway). Those 2 are: clone and unshare (oddly enough, setns wasn’t needed).

I can’t attach my file, but all I did was added a line to /syscalls/names/ … i.e. “clone”, “unshare”