-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chrome - Failed to move to new namespace. #65
Comments
The arguments to run in my dotfiles work for me On Wednesday, September 23, 2015, xcellardoor notifications@github.com
Jessie Frazelle |
You should not be using --no-sandbox On Wednesday, September 23, 2015, xcellardoor notifications@github.com
Jessie Frazelle |
Nope sorry still not working. I did a 'make' on your dotfiles and that all seems to have installed okay. Tried re-launching your Chrome and it failed with the same PID issue. Here is the end of installing the dotfiles and then starting the your chrome.
|
hmmm gotta be something weird w your setup :/ On Wed, Sep 23, 2015 at 11:15 AM, xcellardoor notifications@github.com
Jessie Frazelle |
It's a relatively standard Arch Linux machine, nothing particularly weird about it unfortunately :( You're not running as a special user are you? Online I've read it's possible to use --no-sandbox to remove the PID error but of course you're forgoing basically everything useful about sandboxing when you do that :| It then says I'm trying to run it as Root too, if using sandboxing. Are you invoking any commands to have it run as a regular user? Is your Docker daemon itself configured differently to stock perhaps? Thanks. |
i use everything in my dotfiles its a standard docker run On Wed, Sep 23, 2015 at 11:26 AM, xcellardoor notifications@github.com
Jessie Frazelle |
I tried this here for Chrome and it's working (with --no-sandbox, which is evil I know). The extra steps he does is to put a user in the container and then run as that user, it's got to be something to do with that. Just FYI really in case it's ever useful. http://fabiorehm.com/blog/2014/09/11/running-gui-apps-with-docker/ |
Can confirm that UID and GID is necessary. Also /dev/dri mapping is also essential otherwise you will have Chrome crashing every couple of tabs. |
Would you mind sharing how you passed the UID and GID through? What's the exact command you're using to startup this container? Thanks. |
Yeah, I don't mind at all. I actually forked someone's else project and introduce a bunch of fix and features I thought he was missing. You can find the project here: Let me know if you encounter any issues, actually just open one up. Also the readme should be pretty self explanatory. I have not updated the README to point to my docker repo yet, but in case your wondering my username is hurricane on the hub. Feel free to fork though and make pull request. |
@hurricanehrndz Sorry to abuse Jess' thread, but I can't figure out how to raise an issue with docker-browser-box on your page. Have you turned anything off? Getting some errors now. Could you let me know how to message/raise an issue so I can help resolve the problem. Thanks. |
@xcellardoor issues are now open. My apologies go @jfrazelle and many thanks because without your hard work none of this would be possible! |
I'm getting this error on arch linux too. I tried to strace it and here's my understanding of the problem: It thinks that it's able to create network namespaces and PID namespaces, but it fails when it tries to fork with
I'll try to reproduce the error by writing a small C program that does just the clone part. |
its gotta be distro specific, i use this image everyday :/ even right now |
The question is what does Arch do that Debian (which Jess uses) doesn't. I know Debian tends to value stability and older versions of packages... perhaps there is a complication with a package which cutting-edge Arch uses which Debian etc may soon hit too. I look forward to seeing what @vikstrous finds but if I can test anything for anyone, please ask and I'll be happy to. |
After reading the man page for
|
All of this seems very wrong I do not add that cap what user are you On Monday, October 5, 2015, Viktor Stanchev notifications@github.com
Jessie Frazelle |
Mine creates the chrome sandbox just fine I just straced it On Monday, October 5, 2015, Jessica Frazelle me@jessfraz.com wrote:
Jessie Frazelle |
I don't have either one. Arch doesn't have them by default. |
Here's the c file to test with: https://gist.github.com/vikstrous/151b4c74fc0ab4c10d85 Does this work on your system without |
Thank you very much @vikstrous for writing the test. Here are the results: cellardoor at glow in [~/Temp] cellardoor at glow in [~/Temp] cellardoor at glow in [~/Temp] There is a problem with my user being unable to clone the process, but running with sudo as a whim to bypass whatever protection is in place worked. |
Running 'unshare' will also clone just fyi On Tuesday, October 6, 2015, xcellardoor notifications@github.com wrote:
Jessie Frazelle |
this is the exact command i run, and i am posting this comment from the chrome in a container :p
@vikstrous are u in the office tommorrow we can debug at lunch or something because it seems weird to me |
also what kernel are you on? |
and what docker version? |
Yes, --net host is off. This was on my personal laptop and I don't have it here, but I think the kernel is around 4.2.2 and the docker version is 1.8.2. On October 6, 2015 10:40:57 AM PDT, Jess Frazelle notifications@github.com wrote:
Sent from my Android device with K-9 Mail. Please excuse my brevity. |
I tried Ubuntu in a VM. Here's what I found:
Chrome under ubuntu does a test for them from what I can see:
On arch this test fails:
Then on Ubuntu chrome does:
And on arch it tries:
Now I know why this behaviour happens. The next question is if there is anything we can do about it. I see two options that are currently possible for Arch users:
I see a few long term options:
|
Should chrome be allowed to even do clone with Edit, I think this is indeed normal. This article cleared things up for me: http://lwn.net/Articles/528078/ |
Yeah all that makes sense and you definitely need CLONE_NEWUSER lol I So mine is using chromiums new namespace sandbox and yours is using the old setuid sandbox which is not as great :p On Wednesday, October 7, 2015, Viktor Stanchev notifications@github.com
Jessie Frazelle |
Guessing you guys are on a roll in pinpointing the problem :) @jfrazelle Tested your command this morning, turned off the -d flag so I could see what is put out on the CLI. Same problem as before so it definitely looks to be a sandboxing/namespaces issue on Arch. I could take a look into popping a custom kernel on here, it takes a few minutes so I don't mind. Can either of you recommend any community built kernels that you know wouldn't implement these protections? I'm taking a look at Zen Kernel at the moment, for which Arch has a repo package. So far my Google-fu hasn't got a definitive answer. To make sure I understand, I'm after user-namespaces ON, but a greater priority is sandboxing OFF? If it helps, my versions are:
|
@jessfraz , fixed where? If you mean fixed in chrome (to not use forbidden features) I would agree. But the other fixes I read over the internet all involve reducing container security to unknown state. If container runtime has put restrictions over what you can do from inside the container, chances are the big and experienced security team of said container runtime knew why these restrictions are set better than you. By randomly removing restrictions, this is asking for trouble. Containers provide a false sense of security, but without the proper restrictions, you can easily break out of them. I would say that removing container restrictions and compiling custom kernels is 99% more likely to be a bad idea than running chrome without sandboxing. Would make sense only in certain use cases. Especially for the average no-clue-about-security developer. Additional evidence is OpenSSH and privilege separation. It is mandatory in latest version but they patched it such that it skips protections that are not possible in a restricted container environment. Too bad Chrome is not at that yet. Somebody should file a bug I guess. Or if you know how to make Chrome run with sandboxing and without compromising security of my OpenShift cluster, let me know. |
You know I literally wrote a lot of those "container runtime" defaults you speak of. |
I didn't want to question your competency to decide what level of protection is ok for your own use cases. I'm just saying that the advice I see above is wrong for the average (and even above average) users without clear explanation of the pros and cons in different use cases. Or maybe I'm thinking about production use cases where security is more important, e.g. compared to just run some test stuff without messing up my machine with experimental libs and software. I'm leaving it here though. I can't argue against no arguments. Everybody should check what guarantees the underlying container runtime is providing and make sure breaking those is acceptable for him/her. |
I literally said don't disable sandboxing. That was my advice. If it
doesn't work with SELinux for some reason that seems like something that
should be fixed so you don't disable sandboxing.
You know this is my repo and if you continue down this path of thinking you
know more about container security or that I am wrong about things I built,
I will block you.
…On Nov 16, 2017 13:51, "Aleksandar Kostadinov" ***@***.***> wrote:
I didn't want to question your competency to decide what level of
protection is ok for *your own use cases*. I'm just saying that the
advice I see above is wrong for the average (and even above average) users
without clear explanation of the pros and cons in different use cases.
Or maybe I'm thinking about production use cases where security is more
important, e.g. compared to just run some test stuff without messing up my
machine with experimental libs and software.
I'm leaving it here though. I can't argue against no arguments. Everybody
should check what guarantees the underlying container runtime is providing
and make sure breaking those is acceptable for him/her.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#65 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABYNbJFVvmg91JnrzTPgDbR3aDdX_Yjaks5s3IRBgaJpZM4GCdXL>
.
|
Nice thread! FWIW, I was able to get Chrome running on a CentOS image with a couple of minor changes to the default.json file (adding "clone" and "unshare"). |
@vikstrous Apologies for resurrecting an old thread, but I'm wondering about your comment re:
This is understood. However, my use-case is very narrow (headless SVG to PNG conversion), and I can't use @jessfraz's |
Headless usage and disabling chrome sandboxing@ebr if the x11 server that chrome is connecting to is containerized along with chrome, I can see how --no-sandbox might be a good solution. (If chrome doesn't need x11 in that mode, even better.) When I said it's a bad idea to run it with --no-sandbox I was specifically referring to the case where you are using it as a browser to handle untrusted input and giving it access to your x11 user session. In your case the input is probably untrusted, but you don't have the same level of exposure because there's no x11 user session. If you can keep the x11 server chrome is using containerized in the same container or a sidecar container, you can isolate the potential damage. You would be relying on docker's containerization instead of chrome's in this case and all the usual docker hardening approaches can be used. TLDR: IMO it's not an issue because you'd still have docker's sandboxing. Just don't give it access to your user's x11 session. |
Thanks so much I tried a lot of things but this was the only thing that worked! |
@vikstrous I'm trying to wrap my ahead around if I should set the " If Google Chrome is run with that I'm missing a few bits to answer this question. I'm hoping you'll have them. |
Great thread, thanks to everyone that has contributed here! I've now got chrome running in a container, using Jess's
|
seccomp=$HOME/chrome.json made it all work when creating chrome application for my container desktop environment https://github.com/rayvtoll/vcde |
Hi @jessfraz. Thanks for maintaining this knowledge base. I have a question for you and possibly @vikstrous. Would you consider |
Puppeteer uses a headless chromium which has some dependencies we can be provided by installing chrome, so do that. The default seccomp policy prevents chrome sandbox for working. There are numerous suggested ways to fix that, but I was having problems making it work consistently, so I'll start with "unconfined" and try to figure it out a stricter policy in a future commit. See also: * https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#setting-up-chrome-linux-sandbox * jessfraz/dockerfiles#65 (comment) * https://github.com/moby/moby/blob/master/profiles/seccomp/default.json * https://docs.docker.com/engine/security/seccomp/ * https://kubernetes.io/docs/tutorials/security/seccomp/
Puppeteer uses a headless chromium which has some dependencies we can be provided by installing chrome, so do that. The default seccomp policy prevents chrome sandbox for working. There are numerous suggested ways to fix that, but I was having problems making it work consistently, so I'll start with "unconfined" and try to figure it out a stricter policy in a future commit. See also: * https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#setting-up-chrome-linux-sandbox * jessfraz/dockerfiles#65 (comment) * https://github.com/moby/moby/blob/master/profiles/seccomp/default.json * https://docs.docker.com/engine/security/seccomp/ * https://kubernetes.io/docs/tutorials/security/seccomp/
I keep getting this error when trying to run the Chrome image. If I run with the --no-sandbox argument for Chrome, it then complains about running as the root user and dies immediately. What's the solution?
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
The text was updated successfully, but these errors were encountered: