google-chrome Failed to move to new namespace

novak100 picture novak100 · Nov 28, 2019 · Viewed 7.2k times · Source

Im trying to run google-chrome --headless inside a docker container as a non-root user to execute some tests. Everytime Im trying to start it, it throws following error:

google-chrome --headless

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted Failed to generate minidump.Illegal instruction

Its a docker container running in k8s cluster. Operating system is Ubuntu 16.04.

Namespaces are enabled, user is non-root

I do not want to use --no-sandbox option as this is a security issue.

I cannot use docker run --security-opt=syscomp:unconfined as its being deployed using helm.

Is there a system permission missing that I need to setup for chrome within the container itself?

Answer

novak100 picture novak100 · Dec 3, 2019

After researching extensively internet I think I found the answer:

Sandboxing  For security reasons, Google Chrome is unable to provide sandboxing when it is running in the container-based environment. To use Chrome in the container-based environment, pass the --no-sandbox flag to the chrome executable

So it looks like there is no better solution than --no-sandbox for me, even though its not being very secure, there are people on the internet claiming that it is still safe to use "--no-sandbox" as its running within container which is extra protected any way.