Add support for running Chrome in Docker #20149
Conversation
The Chrome sandbox requires access to the clone and unshre syscalls in order to create new user namespaces. These are denied by the default docker configuration. Add a seccomp.json file that differs from the default only in that these extra calls are added to the permitted list and removed from the blocklist. Also make the `wpt docker-run` command use this configuration.
|
Well it's better than running with |
There was a problem hiding this comment.
LGTM % a question
I think it's a good idea to take this PR.
My fix (bc83451) only adds --no-sandbox on Taskcluster (when TASKCLUSTER_ROOT_URL is present). If anyone tries to run wpt inside Docker locally, they'd still run into the sandbox issue. This PR should solve that use case (although it does create a discrepancy between the two Docker environments).
Once Taskcluster allows us to customize seccomp profiles, we can switch to this approach on Taskcluster as well.
| @@ -216,6 +216,8 @@ def start_xvfb(): | |||
| def get_extra_jobs(event): | |||
| body = None | |||
| jobs = set() | |||
| if not event: | |||
| return jobs | |||
There was a problem hiding this comment.
IIUC, you're trying to make run_tc.py work locally, without the various env vars?
I'm not sure if that's a good idea. Isn't tools/docker supposed to be the entrypoint for that use case?
There was a problem hiding this comment.
Well I found it pretty useful for it to run locally when testing this and various other things. It's pretty convenient to be able to run a single command and have all the chrome install and Xvfb stuff taken care of.
No description provided.