Dockerizing Chrome Security Concerns
yngwietiger opened this issue · 2 comments
Hi,
Currently, I have a web snapshot application, which uses headless chrome to navigate and capture a snapshot of a web page.
The flow is: Screenshot (Spring Boot App using Selenium) -> Chromedriver -> Chrome Browser
Now, I want to Dockerize this to run in production. So, we have a CentOS image with Chromedriver, Chrome and the Screenshot application installed.
When I try to run Chrome in Docker as a non-root user, I get the famous error:
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
As I understand, this issue is Docker not allowing access to "setns" by default.
There are a few workarounds that I know of:
-
Run the container with: --privileged
Obviously, this one is BAD, since it gives root access/privileges to the host system. So, not an option.
-
Run with: --cap-add SYS_ADMIN
As I understand, this too, is bad, since it gives too much privilege to the docker container. So, not an option.
-
Run with: --security-opt seccomp:unconfined
Works. But again, maybe too loose?
-
Run with: --security-opt seccomp:./chrome.json ( using Jess' chrome.json file: i.e. https://github.com/jessfraz/dotfiles/blob/master/etc/docker/seccomp/chrome.json )
Works. But is this safe for a production environment?
-
I've seen mention of turning on user namespace support in the kernel?
How would I do this in CentOS? I'm not necessarily against using another flavor of Linux (e.g. Ubuntu), if that makes it easier. Does this option eliminate the need for a custom seccomp file?
Are there any other options that I'm missing? Any concerns about security here? I obviously don't want to open up a host machine to any security risks.
Thanks in advance,
yngwietiger
So, I figured out how to get it to work with minimal changes to the default seccomp file: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
With Jess' file, everything works fine.
But, I compared Jess' chrome.json to the default.json. Looks like Jess adds 11 new syscalls, and removes 12 of the defaults.
So, I took the default.json file and added all 11 of the new syscalls. It worked. Then, I removed items 1 by 1, to determine what was needed and what wasn't
I determined that only 2 of the items were necessary (for me, anyway). Those 2 are: clone and unshare (oddly enough, setns wasn't needed).
See my attached default2.txt (site won't let me attach a json file). The first line under /syscalls/names/ is my change. i.e. "clone", "unshare"
Thanks.
use the seccomp profile provided and it is secure, do not add caps or turn off the sandbox