There's something seriously wrong somewhere in this chain:

Chrome wants to sandbox its renderer processes so they can't wrote to the file system. To do this, it uses a tool, chrome_sandbox, that requires elevated privileges. (Used to be setuid root, now uses namespaces.)

Which means that I can't run Chrome inside a container, because it needs to be able to make new namespaces, and that's a privileged operation.

And I'm not the sysadmin. I only have (pseudo-)root inside the container.

Follow

In short, Chrome runs as root on Linux.

Chrome thinks unprivileged user namespaces are a good way to sandbox their processes.

Debian thinks they're a serious security risk and disables them by default.

Docker relies on them, but doesn't allow them to be used recursively.

So when you try to run Chrome in a Debian Docker instance, it doesn't work.

(For the record: this is all correct, but was a mirage in front of my real problem. My actual problem was that Chrome was hanging while trying to use the GPU, because the GPU isn't virtualized. All the sandbox problems were caused when I tried to see what was happening.)

--no-sandbox and --disable-gpu, if you need them.

Sign in to participate in the conversation
Mastodon

a Schelling point for those who seek one