feat(docker): add docker and publish images to ghcr #411
Conversation
|
I would suggest changing the docker compose example to use a seccomp file like the one in #174 so you dont have to disable the chromium sandbox |
I applied your suggestions, thanks!
I just remove |
That has the same problem, as it requires the env vars to disable sandboxing. You could add something like |
Okay, so from my testing, I suppose we could either do this, and have a I've also added in a user to circumvent some of the access. |
|
Alright @v1ct0rv, I'm going to push one commit up, but feel free to revert. Let's discuss and see if everyone is OK with the change. https://github.com/jef/nvidia-snatcher/compare/feature/add-docker-support Feel free to integrate directly into this PR @v1ct0rv. |
Signed-off-by: Jef LeCompte <[email protected]>
|
@jef this isn't working for me (Ubuntu host so possible selinux issue): I'd prefer the Edit: |
100% agree, that's why I'm also not keen on
Also my thought. But I guess this is mostly for those who are running the app in some sort of cloud environment that aren't VMs, i.e. k8s (which I don't really think people are doing).
Not sure if this helps with at all, but not sure if I understand the sandboxing that Chromium is doing. That being said, it ran on my arch box. Probably an SELinux thing. Not really sure the best direction to go here. I'd rather not host any Docker image and have someone else manage an image. I don't mind having someone update a wiki page of Docker images, but I'm not too sure if we want to manage this. |
|
I think it's worth pointing out that all of these are "runtime" options and don't need any changes to the Dockerfile. It's more a question of documentation. I would vote for documenting both choices. Either run with chromiums sandbox and the proper security options, or set the env var and turn off sandboxing. For the chrome.json file you could just include a link to that file from its original source (which I don't remember but can help find - I think it was docker documentation somewhere) |
…to feature/add-docker-support * By Jef LeCompte * Via Jef LeCompte * upstream/feature/add-docker-support: feat: add ci build, update `Dockerfile` * Conflicts: * .env-example
Agreed, We can run either with We can have more granular control with What do you think? |
|
Regardless, users can do whatever they want regarding their security choices and I would like |
Added back the option to Skip Chromium Sandbox. |
There was a problem hiding this comment.
Regardless, users can do whatever they want regarding their security choices and I would like
--no-sandboxto remain an option
Do we have to enable sandboxing to run the Dockerfile? If so, maybe we should add config.docker to
if (config.browser.isTrusted || config.docker) {
args.push('--no-sandbox');
args.push('--disable-setuid-sandbox');
}
Haven't ran yet though, so just an assumption...
It's dependent on what privileges the user has allowed. If they're running with an appropriate security profile or using |
By default right now (I think), sandboxing is enabled, which requires users to either user the Docker option If a user wants to disable the sandbox, then they run with I would strongly recommend not having different defaults if you're running natively or in a container, i.e. run with sandboxing enabled unless specified by the env var, both in native and container environments. |
jef
changed the title
|
Thank you two for that explanation. And thank you @v1ct0rv for seeing this through. Appreciate everyone's help and discussion. Alright, well, let's see how this thing goes... |
jef
changed the title
|
Annnndd... Actions are down right 😢
|
Description
This is another proposal based on #374 and #174 but using Github Actions to build and publish the images, I added the Dockerfile, a sample docker-compose.yml and, as part of CD, build the image and push to DockerHub, so we will have the image with the latest code on main branch.
I also add documentation to use it.