New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for running Chrome in Docker #20149
Conversation
The Chrome sandbox requires access to the clone and unshre syscalls in order to create new user namespaces. These are denied by the default docker configuration. Add a seccomp.json file that differs from the default only in that these extra calls are added to the permitted list and removed from the blocklist. Also make the `wpt docker-run` command use this configuration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does essentially mean there's very little being contained in the container, right? But, uh, sure?
Well it's better than running with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM % a question
I think it's a good idea to take this PR.
My fix (bc83451) only adds --no-sandbox
on Taskcluster (when TASKCLUSTER_ROOT_URL
is present). If anyone tries to run wpt inside Docker locally, they'd still run into the sandbox issue. This PR should solve that use case (although it does create a discrepancy between the two Docker environments).
Once Taskcluster allows us to customize seccomp profiles, we can switch to this approach on Taskcluster as well.
@@ -216,6 +216,8 @@ def start_xvfb(): | |||
def get_extra_jobs(event): | |||
body = None | |||
jobs = set() | |||
if not event: | |||
return jobs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC, you're trying to make run_tc.py
work locally, without the various env vars?
I'm not sure if that's a good idea. Isn't tools/docker
supposed to be the entrypoint for that use case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well I found it pretty useful for it to run locally when testing this and various other things. It's pretty convenient to be able to run a single command and have all the chrome install and Xvfb stuff taken care of.
No description provided.