google-chrome无法移至新名称空间 [英] google-chrome Failed to move to new namespace
问题描述
我试图以非root用户身份在docker容器中运行google-chrome --headless,以执行一些测试. 我每次尝试启动它时,都会引发以下错误:
Im trying to run google-chrome --headless inside a docker container as a non-root user to execute some tests. Everytime Im trying to start it, it throws following error:
google-chrome --headless
无法移动到新的命名空间:支持PID命名空间,支持网络命名空间,但失败:errno =不允许操作 无法生成小型转储.非法指令
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted Failed to generate minidump.Illegal instruction
它是在k8s集群中运行的docker容器. 操作系统是Ubuntu 16.04.
Its a docker container running in k8s cluster. Operating system is Ubuntu 16.04.
启用了名称空间,用户是非root用户
Namespaces are enabled, user is non-root
我不想使用--no-sandbox选项,因为这是一个安全问题.
I do not want to use --no-sandbox option as this is a security issue.
我无法使用docker run --security-opt = syscomp:unconfined作为通过头盔进行部署的方式.
I cannot use docker run --security-opt=syscomp:unconfined as its being deployed using helm.
是否缺少我需要在容器本身内设置chrome的系统权限?
Is there a system permission missing that I need to setup for chrome within the container itself?
推荐答案
在广泛研究互联网之后,我认为我找到了答案:
After researching extensively internet I think I found the answer:
沙箱 出于安全原因,在基于容器的环境中运行时,Chrome浏览器无法提供沙箱功能. 要在基于容器的环境中使用Chrome,请将--no-sandbox标志传递给Chrome可执行文件
Sandboxing For security reasons, Google Chrome is unable to provide sandboxing when it is running in the container-based environment. To use Chrome in the container-based environment, pass the --no-sandbox flag to the chrome executable
对于我来说,似乎没有比--no-sandbox更好的解决方案了,尽管它不是很安全,但互联网上有人声称使用"--no-sandbox"仍然是安全的因为它在容器内运行,因此无论如何都得到了额外的保护.
So it looks like there is no better solution than --no-sandbox for me, even though its not being very secure, there are people on the internet claiming that it is still safe to use "--no-sandbox" as its running within container which is extra protected any way.
这篇关于google-chrome无法移至新名称空间的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!