From 7e3eee71253e570a1e1bb9b302003efeeac9b0da Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Mon, 6 Mar 2017 01:30:51 +0000 Subject: [PATCH] Bring Chromium container in line with Chrome (#240) * No need for testing repo on Stretch * Run as unprivileged user * Bring documentation in line with Chrome container * Tweak Chrome docs (-O defines output file, -o is for logging) * Point to seccomp profile where the wget command suggests we download it * Fix CI build failure on Chromium --- chrome/beta/Dockerfile | 4 +- chrome/stable/Dockerfile | 4 +- chromium/Dockerfile | 79 +++++++++++++++++++++------------------- 3 files changed, 45 insertions(+), 42 deletions(-) diff --git a/chrome/beta/Dockerfile b/chrome/beta/Dockerfile index 67e79ac..6b4e8a0 100644 --- a/chrome/beta/Dockerfile +++ b/chrome/beta/Dockerfile @@ -8,14 +8,14 @@ # -e DISPLAY=unix$DISPLAY \ # -v $HOME/Downloads:/home/chrome/Downloads \ # -v $HOME/.config/google-chrome/:/data \ # if you want to save state -# --security-opt seccomp=/etc/docker/seccomp/chrome.json +# --security-opt seccomp=$HOME/chrome.json \ # --device /dev/snd \ # so we have sound # -v /dev/shm:/dev/shm \ # --name chrome \ # jess/chrome:beta # # You will want the custom seccomp profile: -# wget https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json -o ~/chrome.json +# wget https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json -O ~/chrome.json # Base docker image FROM debian:sid diff --git a/chrome/stable/Dockerfile b/chrome/stable/Dockerfile index f329d7b..4ec323c 100644 --- a/chrome/stable/Dockerfile +++ b/chrome/stable/Dockerfile @@ -8,14 +8,14 @@ # -e DISPLAY=unix$DISPLAY \ # -v $HOME/Downloads:/home/chrome/Downloads \ # -v $HOME/.config/google-chrome/:/data \ # if you want to save state -# --security-opt seccomp=/etc/docker/seccomp/chrome.json +# --security-opt seccomp=$HOME/chrome.json \ # --device /dev/snd \ # so we have sound # -v /dev/shm:/dev/shm \ # --name chrome \ # jess/chrome # # You will want the custom seccomp profile: -# wget https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json -o ~/chrome.json +# wget https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json -O ~/chrome.json # Base docker image FROM debian:sid diff --git a/chromium/Dockerfile b/chromium/Dockerfile index ec48d43..239d514 100644 --- a/chromium/Dockerfile +++ b/chromium/Dockerfile @@ -1,23 +1,21 @@ -# DESCRIPTION: Create chromium container with its dependencies -# AUTHOR: Jessie Frazelle -# COMMENTS: -# This file describes how to build a Chromium container with all -# dependencies installed. It uses native X11 unix socket. -# Tested on Debian Jessie -# USAGE: -# # Download Chromium Dockerfile -# wget https://raw.githubusercontent.com/jessfraz/dockerfiles/master/chromium/Dockerfile +# Run Chromium in a container # -# # Build chromium image -# docker build -t chromium . +# docker run -it \ +# --net host \ # may as well YOLO +# --cpuset-cpus 0 \ # control the cpu +# --memory 512mb \ # max memory it can use +# -v /tmp/.X11-unix:/tmp/.X11-unix \ # mount the X11 socket +# -e DISPLAY=unix$DISPLAY \ +# -v $HOME/Downloads:/home/chromium/Downloads \ +# -v $HOME/.config/chromium/:/data \ # if you want to save state +# --security-opt seccomp=$HOME/chrome.json \ +# --device /dev/snd \ # so we have sound +# -v /dev/shm:/dev/shm \ +# --name chromium \ +# jess/chromium # -# # Run stateful data-on-host chromium. For ephemeral, remove -v /data/chromium:/data -# docker run -v /data/chromium:/data -v /tmp/.X11-unix:/tmp/.X11-unix \ -# -e DISPLAY=unix$DISPLAY chromium - -# # To run stateful dockerized data containers -# docker run --volumes-from chromium-data -v /tmp/.X11-unix:/tmp/.X11-unix \ -# -e DISPLAY=unix$DISPLAY chromium +# You will want the custom seccomp profile: +# wget https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json -O ~/chrome.json # Base docker image FROM debian:stretch @@ -26,26 +24,31 @@ MAINTAINER Jessie Frazelle ADD https://dl.google.com/linux/direct/google-talkplugin_current_amd64.deb /src/google-talkplugin_current_amd64.deb # Install Chromium -RUN echo 'deb http://httpredir.debian.org/debian testing main' >> /etc/apt/sources.list && \ - apt-get update && apt-get install -y \ - chromium \ - chromium-l10n \ - fonts-liberation \ - fonts-roboto \ - hicolor-icon-theme \ - libcanberra-gtk-module \ - libexif-dev \ - libgl1-mesa-dri \ - libgl1-mesa-glx \ - libpango1.0-0 \ - libv4l-0 \ - -t testing \ - fonts-symbola \ - --no-install-recommends \ - && rm -rf /var/lib/apt/lists/* \ - && mkdir -p /etc/chromium.d/ \ - && /bin/echo -e 'export GOOGLE_API_KEY="AIzaSyCkfPOPZXDKNn8hhgu3JrA62wIgC93d44k"\nexport GOOGLE_DEFAULT_CLIENT_ID="811574891467.apps.googleusercontent.com"\nexport GOOGLE_DEFAULT_CLIENT_SECRET="kdloedMFGdGla2P1zacGjAQh"' > /etc/chromium.d/googleapikeys \ - && dpkg -i '/src/google-talkplugin_current_amd64.deb' +RUN apt-get update && apt-get install -y \ + chromium \ + chromium-l10n \ + fonts-liberation \ + fonts-roboto \ + hicolor-icon-theme \ + libcanberra-gtk-module \ + libexif-dev \ + libgl1-mesa-dri \ + libgl1-mesa-glx \ + libpango1.0-0 \ + libv4l-0 \ + fonts-symbola \ + --no-install-recommends \ + && rm -rf /var/lib/apt/lists/* \ + && mkdir -p /etc/chromium.d/ \ + && /bin/echo -e 'export GOOGLE_API_KEY="AIzaSyCkfPOPZXDKNn8hhgu3JrA62wIgC93d44k"\nexport GOOGLE_DEFAULT_CLIENT_ID="811574891467.apps.googleusercontent.com"\nexport GOOGLE_DEFAULT_CLIENT_SECRET="kdloedMFGdGla2P1zacGjAQh"' > /etc/chromium.d/googleapikeys \ + && dpkg -i '/src/google-talkplugin_current_amd64.deb' + +# Add chromium user +RUN groupadd -r chromium && useradd -r -g chromium -G audio,video chromium \ + && mkdir -p /home/chromium/Downloads && chown -R chromium:chromium /home/chromium + +# Run as non privileged user +USER chromium ENTRYPOINT [ "/usr/bin/chromium" ] CMD [ "--user-data-dir=/data" ]