browservice on docker

[walkero-gr]

Hello there. I am building a docker image for the browservice, which you can find at https://github.com/walkero-gr/browserviceondocker
My goal is to have it on docker container running, and I will try to make it available for different platforms as well.

Although for AMD CPUs it seems it is compiled just fine, with UBUNTU 20.04, when I try to run it I have a few issues.

When I try to run it as root I get the following error:

INFO @ src/main.cpp:126 -- Loading vice plugin retrojsvice.so
INFO @ src/main.cpp:133 -- Initializing vice plugin retrojsvice.so
INFO @ retrojsvice.so src/context.cpp:251 -- Creating retrojsvice plugin context
INFO @ src/xvfb.cpp:62 -- Starting Xvfb X server as child process
INFO @ src/xvfb.cpp:133 -- Xvfb X server :0 successfully started
[0329/120737.874336:ERROR:zygote_host_impl_linux.cc(90)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.

Then I created a new user and group, and tried to run it without changing any permissions at the files. I had the following error when I tried to run it:

INFO @ src/main.cpp:126 -- Loading vice plugin retrojsvice.so
INFO @ src/main.cpp:133 -- Initializing vice plugin retrojsvice.so
INFO @ retrojsvice.so src/context.cpp:251 -- Creating retrojsvice plugin context
INFO @ src/xvfb.cpp:62 -- Starting Xvfb X server as child process
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
INFO @ src/xvfb.cpp:133 -- Xvfb X server :0 successfully started
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
Trace/breakpoint trap
browsrv@f46494985048:/release/bin$ [0100/000000.985813:ERROR:zygote_linux.cc(646)] write: Broken pipe (32)

The final test I did was to chown for all the files under release folder to the new user, except the chrome-sandbox. When I tried to run it I got the following error:

INFO @ src/main.cpp:126 -- Loading vice plugin retrojsvice.so
INFO @ src/main.cpp:133 -- Initializing vice plugin retrojsvice.so
INFO @ retrojsvice.so src/context.cpp:251 -- Creating retrojsvice plugin context
INFO @ src/xvfb.cpp:62 -- Starting Xvfb X server as child process
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
INFO @ src/xvfb.cpp:133 -- Xvfb X server :0 successfully started
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
Trace/breakpoint trap
browsrv@bc181960aae0:/release/bin$ [0100/000000.412735:ERROR:zygote_linux.cc(646)] write: Broken pipe (32)

I always run the browservice like below
/release/bin/browservice --vice-opt-http-listen-addr=0.0.0.0:8080
As you can see I moved the release folder at the root, after the compiling, and at my repo you can see all the steps I am doing, at the Dockerfile.

After I run it, with ps -fax I see the following:

  PID TTY      STAT   TIME COMMAND
    1 pts/0    Ss     0:00 /bin/bash
   10 pts/0    Sl     0:00 Xvfb -displayfd 4 -auth /tmp/browservicetmp_NOi86I/.Xauthority -screen 0 640x480x24
   37 pts/0    R+     0:00 ps -fax

I wonder if you can help me figure out what the problem is and fix it.

[ttalvitie]

The line that would seem to best describe the problem is the following line in the output of each (non-root) run:

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

This would seem to imply that some Linux capability needed by the Chromium sandbox is not available in the Docker sandbox. I also initially tried to create a Docker container for Browservice, but gave up because of this error. You might get around this by changing the Docker configuration; for example, running the container in privileged mode might work, but it of course reduces the security isolation provided by Docker. You could also run Chromium without sandboxing by passing the argument --chromium-args=no-sandbox to Browservice, but it is HIGHLY INSECURE and thus NOT RECOMMENDED for typical web usage.

[walkero-gr]

@ttalvitie Thank you so much for your reply. I would do some more investigation on the error, and will try to fix it. In case I find something, I will inform you.

Thanks again.

[Korkman]

@ttalvitie From what I see, the people at the Selenium project run Chrome with --no-sandbox as well. I would guess the namespace mechanisms used for the sandbox are more or less the basic primitives Docker containers are made of, therefore the denied permission. So either have Chrome run without a sandbox per tab, making Docker the sandbox, or run Docker with --privileged and have Chrome create a sandbox per tab, the way it is intended to run.

I would go for the latter, because Chrome likely creates stronger isolating sandboxes than Docker. Better to have strong isolation for websites than weak isolation for the whole browser.

So go for --privileged, place a corresponding docker-compose.yml along with it :-)

[vivlim]

I ended up using --privileged and that works for me. Sample with docker-compose here: https://github.com/vivlim/browservice-docker