Disable chrome sandbox by default. Add a config flag and documentatio…

…n to reenable it (#481)
livekit · Sep 7, 2023 · 75a0cc2 · 75a0cc2
1 parent cfd2bda
commit 75a0cc2
Show file tree

Hide file tree

Showing 6 changed files with 817 additions and 11 deletions.
diff --git a/.github/workflows/test-integration.yaml b/.github/workflows/test-integration.yaml
@@ -66,8 +66,6 @@ jobs:
         run: |
           docker run --rm \
             --network host \
-            --security-opt seccomp=unconfined \
-            --cap-add=SYS_ADMIN \
             -e GITHUB_WORKFLOW=1 \
             -e EGRESS_CONFIG_STRING="$(echo ${{ secrets.EGRESS_CONFIG_STRING }} | base64 -d)" \
             -e S3_UPLOAD="$(echo ${{ secrets.S3_UPLOAD }} | base64 -d)" \

diff --git a/README.md b/README.md
@@ -66,6 +66,7 @@ logging:
   json: true
 template_base: can be used to host custom templates (default https://egress-composite.livekit.io)
 backup_storage: files will be moved here when uploads fail. location must have write access granted for all users
+enable_chrome_sandbox: if true, egress will run Chrome with sandboxing enabled. This requires a specific Docker setup, see below. 
 cpu_cost: # optionally override cpu cost estimation, used when accepting or denying requests
   room_composite_cpu_cost: 3.0
   web_cpu_cost: 3.0
@@ -172,13 +173,34 @@ Then to run the service:
 ```shell
 docker run --rm \
     -e EGRESS_CONFIG_FILE=/out/config.yaml \
-    --cap-add=SYS_ADMIN \
     -v ~/egress-test:/out \
     livekit/egress
 ```
 
 You can then use our [cli](https://github.com/livekit/livekit-cli) to submit egress requests to your server.
 
+### Chrome sandboxing
+
+By default, Room Composite and Web egresses run with Chrome sandboxing disabled. This is because the default docker security settings prevent Chrome from
+switching to a different kernel namespace, which is needed by Chrome to setup its sandbox. 
+
+Chrome sandboxing within Egress can be reenabled by setting the the `enable_chrome_sandbox` option to `true` in the egress configuration, and launching docker using the [provided
+seccomp security profile](https://github.com/livekit/egress/blob/main/chrome-sandboxing-seccomp-profile.json):
+
+```shell
+docker run --rm \
+    -e EGRESS_CONFIG_FILE=/out/config.yaml \
+    -v ~/egress-test:/out \
+    --security-opt seccomp=chrome-sandboxing-seccomp-profile.json \
+    livekit/egress
+```
+
+This profile is based on the [default docker seccomp security profile](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) and allows
+the 2 extra system calls (`clone` and `unshare`) that Chrome needs to setup the sandbox.
+
+Note that kubernetes disables seccomp entirely by default, which means that running with Chrome sandboxing enabled is possible on a kubernetes with 
+the default security settings.
+
 ## FAQ
 
 ### Can I store the files locally instead of uploading to cloud storage?