The problem seems to be that creating an isolated environment involves cloning a "user namespace." With the default setting of unprivileged_userns_clone=0 you can clone a namespace once, however, once inside the namespace it's not possible to further clone the namespace again. ![]() After reading the lwn.net article linked in another answer, and reading all the apparently-relevant answers here on stackexchange, I think I have made sense of the issue. I had the same question and ran into the same scary-sounding answers/comments here on stackexchange. ![]() The kind of warnings I'm reading are what I would expect to read if I were to root a phone or compromise the operating systems security routines.Īm I misunderstanding the situation here, or is to run Chromium in a Docker container tantamount to opening up my server to half the internet ? I am surprised that doing something as simple and comparatively low level as running a web browser seems to require such wide ranging permissions that apparently open up wide swathes of attack vectors. "Unprivileged user namespaces are extremely dangerous" ( link) "open up severe vulnerabilities in the Linux kernel" ( link) ![]() Running as non-root, but to run Puppeteer in a non-root sandbox, you need to enable the kernel option unprivileged_userns_clone, which once I started researching found it was said to Running the container with CAP_ADD=SYS_ADMIN, which I think I needn't comment further, or The problem is that the go-to alternatives seem to be just as bad: The problem is that, from my understanding, to run as root, you need the option -no-sandbox, which is rightly decried as being an insecure and bad solution. ![]() Attempting to run Puppeteer, a Node library to control a headless Chromium (in order to do things like create a PDF of a website), in Docker is a surprisingly fiddly thing.
0 Comments
Leave a Reply. |