Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

[dalepres]

I get the error below running jess/chrome. I get that running it with Jess' suggested command line and I get it if I remove all unneeded options.

Error:

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

[jessfraz]

please see #65

[jessfraz]

The problem is user namespaces is not enabled in your kernel.

[jessfraz]

here is the most helpful comment #65 (comment)

[pankajrajkhowa]

Issue
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

I am new to Docker and I have instaled one Virtual box and running the Docker.
I successfully pulled the Jess\chrome and when I try to docker run I am getting the error message.

Pankaj-Rajkhowa:Docker macbookpro$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ee45991833e9 1fe6b2dc7e23 "google-chrome --use…" 4 minutes ago Exited (133) 4 minutes ago jovial_jones
a3e86528267b ee2708bf565c "bash" 14 hours ago Created priceless_bhabha
1ca88684b081 ee2708bf565c "bash" 14 hours ago Exited (0) 14 hours ago quirky_jones
67a6dc840ac8 ee2708bf565c "/bin/sh -c 'set -eu…" 14 hours ago Exited (2) 14 hours ago practical_mcclintock
444fb01de896 httpd "httpd-foreground" 14 hours ago Exited (0) 14 hours ago cocky_leakey
Pankaj-Rajkhowa:Docker macbookpro$ docker run 1fe6b2dc7e23

Looking for help to learn.

[undrewb]

So I keep seeing 'dont use --no-sandbox because security'. But if I dont say --no-sandbox, chromium will not launch on alpine. So is there another way?

[sjortiz]

as of now you can run the container with --privileged you won't have the issue stated on the title.

[MicheleNicosia]

Hi all,
it is unclear to me HOW to run an image which it is perfectly workign with docker --privileged using instead the kubernetes yaml.
I'm struggling to understand and the best i did was the following yaml, which is now giving me the same error as subject:

apiVersion: v1
kind: Pod
metadata:
name: geneticool
spec:
privileged: true
allowPrivilegeEscalation: true
spec:
#replicas: 2
#selector:

matchLabels:

app: chrome

containers:

• name: render
  image: geneticool/renderer:chrome
  env:
  • name: RENDERFARM_URL
    value: "https://geneticool.com/"
    imagePullSecrets:
• name: somesecret

Giving that, the error i see is the following:

02/07/2019 10:23:10 Autoprobing TCP port
02/07/2019 10:23:10 Autoprobing selected TCP port 5900
02/07/2019 10:23:10 Autoprobing TCP6 port
02/07/2019 10:23:10 Autoprobing selected TCP6 port 5900

02/07/2019 10:23:10 The X server says there are 10 mouse buttons.
02/07/2019 10:23:10 screen setup finished.
02/07/2019 10:23:10

The VNC desktop is: geneticool:0

---

Have you tried the x11vnc '-ncache' VNC client-side pixel caching feature yet?

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

Any idea what to change on my yaml?

I wanted to easily scale up the containers with a simple command on k8s.

Thank you.
Michele

[takahser]

According to the docs, the --priviledged flag will give "extended privileges to this container". This includes "nearly all the same access to the host as processes running outside containers on the host".

I don't want my container to have these rights. Is there any other way, such as restricting the access using the --device flag?

It (the --device flag) allows you to specify one or more devices that will be accessible within the container.

[Zeroman]

you can add
--cap-add=SYS_ADMIN
--device /dev/snd
--device /dev/dri
replace --priviledged
https://awesomeopensource.com/project/yukinying/chrome-headless-browser-docker

[JunjiUmeno]

--cap-add=SYS_ADMIN makes it work. rootless or kernel.unprivileged_userns_clone = 1 did not make it clone.

[Exadra37]

Using --cap-add=SYS_ADMIN is almost the same as giving ROOT access to the host. DON'T DO IT.

https://www.redhat.com/en/blog/container-tidbits-adding-capabilities-container

Bottom line: giving a process SYS_ADMIN capability is pretty close to removing all isolation. As a rule, you shouldn't do this, but it's helpful to know that you can if you need to for some reason.

[unitythemaker]

Solution for the ones who don't want to add caps to the container:
google-chrome Failed to move to new namespace

const browser = await puppeteer.launch({
  "args": [
    "--no-sandbox"
  ]
});

I think this should be marked as the new solution if it works for everyone.