jessfraz/dockerfiles

Dockerizing Chrome Security Concerns

yngwietiger opened this issue · 2 comments

yngwietiger commented

Hi,

Currently, I have a web snapshot application, which uses headless chrome to navigate and capture a snapshot of a web page.

The flow is: Screenshot (Spring Boot App using Selenium) -> Chromedriver -> Chrome Browser

Now, I want to Dockerize this to run in production. So, we have a CentOS image with Chromedriver, Chrome and the Screenshot application installed.

When I try to run Chrome in Docker as a non-root user, I get the famous error:

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

As I understand, this issue is Docker not allowing access to "setns" by default.

There are a few workarounds that I know of:

  1. Run the container with: --privileged

    Obviously, this one is BAD, since it gives root access/privileges to the host system. So, not an option.

  2. Run with: --cap-add SYS_ADMIN

    As I understand, this too, is bad, since it gives too much privilege to the docker container. So, not an option.

  3. Run with: --security-opt seccomp:unconfined

    Works. But again, maybe too loose?

  4. Run with: --security-opt seccomp:./chrome.json ( using Jess' chrome.json file: i.e. https://github.com/jessfraz/dotfiles/blob/master/etc/docker/seccomp/chrome.json )

    Works. But is this safe for a production environment?

  5. I've seen mention of turning on user namespace support in the kernel?

    How would I do this in CentOS? I'm not necessarily against using another flavor of Linux (e.g. Ubuntu), if that makes it easier. Does this option eliminate the need for a custom seccomp file?

Are there any other options that I'm missing? Any concerns about security here? I obviously don't want to open up a host machine to any security risks.

Thanks in advance,

yngwietiger

yngwietiger commented

So, I figured out how to get it to work with minimal changes to the default seccomp file: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json

With Jess' file, everything works fine.

But, I compared Jess' chrome.json to the default.json. Looks like Jess adds 11 new syscalls, and removes 12 of the defaults.

So, I took the default.json file and added all 11 of the new syscalls. It worked. Then, I removed items 1 by 1, to determine what was needed and what wasn't

I determined that only 2 of the items were necessary (for me, anyway). Those 2 are: clone and unshare (oddly enough, setns wasn't needed).

See my attached default2.txt (site won't let me attach a json file). The first line under /syscalls/names/ is my change. i.e. "clone", "unshare"

default2.txt

Thanks.

  • 👍1
jessfraz commented

use the seccomp profile provided and it is secure, do not add caps or turn off the sandbox