Jump to content

Connect Leeroopedia MCP: Equip your AI agents to search best practices, build plans, verify code, diagnose failures, and look up hyperparameter defaults.

Heuristic:MarketSquare Robotframework browser Docker Chrome Security

From Leeroopedia
Knowledge Sources
Domains Troubleshooting, Containerization
Last Updated 2026-02-12 04:00 GMT

Overview

Required Docker security configuration using seccomp profiles, IPC host sharing, and non-root user for stable Chrome execution in containers.

Description

Running Chrome/Chromium inside Docker containers requires three specific security configurations: (1) a custom seccomp profile that allows user namespace syscalls needed by Chrome's sandbox, (2) IPC host sharing to prevent shared memory errors, and (3) running as the `pwuser` non-root user to avoid permission issues. Without these settings, Chrome may crash silently, show shared memory errors, or fail to launch.

Usage

Apply this heuristic whenever running Browser library tests in Docker, setting up CI Docker pipelines, or debugging Chrome crashes in containers. If Chrome crashes without error messages or shows `SIGABRT` signals in Docker, these security settings are likely the cause.

The Insight (Rule of Thumb)

  • Action: Always use these three Docker flags together when running Chrome in containers:
    • `--ipc=host` — Shares the host's IPC namespace with the container
    • `--security-opt seccomp=seccomp_profile.json` — Applies the Playwright seccomp profile
    • `--user pwuser` — Runs as the dedicated non-root user
  • Value: Download seccomp profile from Playwright's repository.
  • Trade-off: `--ipc=host` slightly reduces container isolation. The seccomp profile allows additional syscalls (clone, setns, unshare) required for Chrome sandboxing.

Reasoning

Chrome uses Linux user namespaces for its multi-process sandbox. Docker's default seccomp profile blocks the `clone`, `setns`, and `unshare` syscalls required for namespace creation. The custom seccomp profile allows these specific syscalls while maintaining other security restrictions. The `--ipc=host` flag is needed because Chrome uses shared memory (`/dev/shm`) for inter-process communication, and Docker's default 64MB shared memory limit is insufficient. Running as `pwuser` ensures browser binaries installed for that user are accessible.

Code Evidence

Docker run command from `docker/README.md:17`: 

docker run --rm -v $(pwd)/atest/test/:/test --ipc=host --user pwuser \
  --security-opt seccomp=seccomp_profile.json \
  marketsquare/robotframework-browser:latest \
  bash -c "robot --outputdir /test/output /test"

Non-root user requirement from `docker/README.md:27`: 

All dependencies are installed to support running tests as `pwuser`
in the docker image. Running tests as root or other non `pwuser`
can cause problems.

Seccomp profile namespace allowance from `docker/seccomp_profile.json:54`: 

{
    "comment": "Allow create user namespaces",
    "names": ["clone", "setns", "unshare"],
    "action": "SCMP_ACT_ALLOW"
}

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Heuristic:MarketSquare_Robotframework_browser_Docker_Chrome_Security&oldid=571"