I am trying to run chrome on a docker container, but I can't properly set up chrome-sandbox and in every place I search people tell to just disable sandbox by passing --no-sandbox. I feel that's a workaround from same team of "run as root". This is my dockerfile:
FROM buster-slim
# install chrome
RUN adduser --system --group chrome
RUN apt-get update \
&& apt-get install -y --no-install-recommends wget \
&& wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb \
&& apt install -y --no-install-recommends ./google-chrome-stable_current_amd64.deb \
&& rm google-chrome-stable_current_amd64.deb \
&& chown root:root -R /opt/google/chrome/ \
&& chmod 755 -R /opt/google/chrome/ \
&& chmod 4755 -R /opt/google/chrome/chrome-sandbox
USER chrome
ENTRYPOINT ["google-chrome", "--headless", "--disable-gpu"]
but it crashes with illegal instruction error:
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
Failed to generate minidump.Illegal instruction (core dumped)
it does not crashes if I pass --no-sandbox.
It happens because docker's default seccomp policy denies access to syscalls required by chrome to properly setup sandboxing, thus causing "Operation not permitted" error, being them: clone, unshare, arch_prctl, chroot and ptrace.
Extend the default policy to add those syscalls to allowed list, here is a diff from the default:
{
"syscalls": [
{
"names": [
"clone",
"unshare",
"arch_prctl",
"chroot",
"ptrace"
]
}
]
]
and pass the json file to --security-opt seccomp=file.json argument of docker run or corresponding argument in compose file:
version: "3.9"
services:
chrome:
security_opt:
- seccomp=file.json