You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: update documentation on Chromium sandbox (#3077)
This patch:
- updates docker seccomp profile to use a slightly modified default docker
profile
- removes SUID sandbox documentation since it doesn't seem to work
References #2745
[`seccomp_profile.json`](seccomp_profile.json) is needed to run Chromium with sandbox. This is
38
+
a [default Docker seccomp profile](https://github.com/docker/engine/blob/d0d99b04cf6e00ed3fc27e81fc3d94e7eda70af3/profiles/seccomp/default.json) with extra user namespace cloning permissions:
39
+
40
+
```json
41
+
[
42
+
{
43
+
"comment": "Allow create user namespaces",
44
+
"names": [
45
+
"clone",
46
+
"setns",
47
+
"unshare"
48
+
],
49
+
"action": "SCMP_ACT_ALLOW",
50
+
"args": [],
51
+
"includes": {},
52
+
"excludes": {}
53
+
}
54
+
]
55
+
```
38
56
39
-
* The seccomp profile is required to run Chrome without sandbox. Thanks to [Jessie Frazelle](https://github.com/jessfraz/dotfiles/blob/master/etc/docker/seccomp/chrome.json).
40
-
* Using `--ipc=host` is also recommended when using Chrome ([Docker docs](https://docs.docker.com/engine/reference/run/#ipc-settings---ipc)). Chrome can run out of memory without this flag.
57
+
> **NOTE**: Using `--ipc=host` is recommended when using Chrome ([Docker docs](https://docs.docker.com/engine/reference/run/#ipc-settings---ipc)). Chrome can run out of memory without this flag.
0 commit comments