Chrome/Chromium inside Docker and the sandbox

Question

I’d like to run a containerized Chromium, and I’m facing issues with the sandbox. I’m running Chromium “raw builds” (not downloaded via package manager, but that shouldn’t make a difference, fwiw). Here’s a minimal Dockerfile which will illustrate my issue:

FROM ubuntu:16.04

RUN set -ex; \
    apt-get update; \
    apt-get install curl unzip gconf-service libasound2 libatk1.0-0 libatk-bridge2.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgcc1 libgconf-2-4 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 ca-certificates fonts-liberation libappindicator1 libnss3 lsb-release xdg-utils wget -y;

RUN set -ex; \
# download and install Chromium build, set permissions
    curl -o /tmp/chromium-download.zip https://storage.googleapis.com/chromium-browser-snapshots/Linux_x64/561732/chrome-linux.zip; \
    unzip -d /opt /tmp/chromium-download.zip; \
    chmod -R go=u-w /opt/chrome-linux; \
# create 'chrome' group and user
    groupadd --system chrome; \
    useradd --system --create-home --gid chrome --groups audio,video chrome; \
# Advice re. SUID sandbox in 'Installation instructions for “Raw builds of Chromium”':
# https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md#installation-instructions-for-raw-builds-of-chromium
    chown root:root /opt/chrome-linux/chrome_sandbox; \
    chmod 4755 /opt/chrome-linux/chrome_sandbox;

ENV CHROME_DEVEL_SANDBOX="/opt/chrome-linux/chrome_sandbox"
USER chrome
ENV PATH="${PATH}:/opt/chrome-linux"

Build it and trying to run it:

$ docker build . -t chromium
$ docker run -it chromium:latest chrome --headless

And I receive the following error:

[0830/122656.151751:FATAL:zygote_host_impl_linux.cc(127)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

Most common troubleshooting mantra (e.g. here; different project, but same issue): “Just add the --no-sandbox and you’re good to go”. This indeed works.

However, official sources do not recommend this, and claim, that it “is not needed if you properly setup a user in the container.” (see here). From my feeling, the user inside the container is created correctly, and I’ve additionally followed the advice on setting the permissions for the SUID sandbox (whose actual role is unclear to me, this page says “The Linux SUID sandbox is almost but not completely removed.” -- whatever that means in practice).

Any chance getting this to run without disabling the sandbox? (as this is used for testing, I’d ideally like to keep the sandbox behavior, as I want to simulate the “natural” environment as closely as possible)

Answer 1

Enable user namespaces in your kernel. >>another relevant thread<<