Skip to content

Commit bc9e9e7

Browse files
ka3deka3de
authored
Do not use SYS_ADMIN Docker capability for k6 browser (#1330)
Updates all k6 browser Docker examples, which uses the grafana/k6:master-with-browser image removing the usage of SYS_ADMIN Docker capability, which is now not needed because the Chrome 'no-sandbox' argument is set by default. This change and its implications are mentioned in a comment along with the cmdline example and a recomendation to use a Docker SECCOMP profile instead, which provides better security at the cost of worse UX.
1 parent 80cddb9 commit bc9e9e7

File tree

3 files changed

+56
-16
lines changed

3 files changed

+56
-16
lines changed

src/data/markdown/docs/02 javascript api/07 k6-experimental/01 browser.md

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -86,9 +86,17 @@ $ k6 run script.js
8686
```
8787

8888
```bash
89-
# When using the `k6:master-with-browser` Docker image, you need to add `--cap-add=SYS_ADMIN`
90-
# to grant further system permissions on the host for the Docker container.
91-
docker run --rm -i --cap-add=SYS_ADMIN grafana/k6:master-with-browser run - <script.js
89+
# WARNING!
90+
# The grafana/k6:master-with-browser image launches a Chrome browser by setting the
91+
# 'no-sandbox' argument. Only use it with trustworthy websites.
92+
#
93+
# As an alternative, you can use a Docker SECCOMP profile instead, and overwrite the
94+
# Chrome arguments to not use 'no-sandbox' such as:
95+
# docker container run --rm -i -e K6_BROWSER_ARGS='' --security-opt seccomp=$(pwd)/chrome.json grafana/k6:master-with-browser run - <script.js
96+
#
97+
# You can find an example of a hardened SECCOMP profile in:
98+
# https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json.
99+
docker run --rm -i grafana/k6:master-with-browser run - <script.js
92100
```
93101

94102
```bash
@@ -143,9 +151,17 @@ The following command passes the [browser module options](#browser-module-option
143151
$ K6_BROWSER_HEADLESS=false K6_BROWSER_ARGS='show-property-changed-rects' k6 run script.js
144152
```
145153
```bash
146-
# When using the `k6:master-with-browser` Docker image, you need to add `--cap-add=SYS_ADMIN`
147-
# to grant further system permissions on the host for the Docker container.
148-
docker run --rm -i --cap-add=SYS_ADMIN -e K6_BROWSER_HEADLESS=false -e K6_BROWSER_ARGS='show-property-changed-rects' grafana/k6:master-with-browser run - <script.js
154+
# WARNING!
155+
# The grafana/k6:master-with-browser image launches a Chrome browser by setting the
156+
# 'no-sandbox' argument. Only use it with trustworthy websites.
157+
#
158+
# As an alternative, you can use a Docker SECCOMP profile instead, and overwrite the
159+
# Chrome arguments to not use 'no-sandbox' such as:
160+
# docker container run --rm -i -e K6_BROWSER_ARGS='' --security-opt seccomp=$(pwd)/chrome.json grafana/k6:master-with-browser run - <script.js
161+
#
162+
# You can find an example of a hardened SECCOMP profile in:
163+
# https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json.
164+
docker run --rm -i -e K6_BROWSER_HEADLESS=false -e K6_BROWSER_ARGS='show-property-changed-rects' grafana/k6:master-with-browser run - <script.js
149165
```
150166

151167
```bash

src/data/markdown/translated-guides/en/03 Using k6 browser/02 Running browser tests.md

Lines changed: 23 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -80,9 +80,17 @@ $ k6 run script.js
8080
```
8181

8282
```bash
83-
# When using the `k6:master-with-browser` Docker image, you need to add `--cap-add=SYS_ADMIN`
84-
# to grant further system permissions on the host for the Docker container.
85-
docker run --rm -i --cap-add=SYS_ADMIN grafana/k6:master-with-browser run - <script.js
83+
# WARNING!
84+
# The grafana/k6:master-with-browser image launches a Chrome browser by setting the
85+
# 'no-sandbox' argument. Only use it with trustworthy websites.
86+
#
87+
# As an alternative, you can use a Docker SECCOMP profile instead, and overwrite the
88+
# Chrome arguments to not use 'no-sandbox' such as:
89+
# docker container run --rm -i -e K6_BROWSER_ARGS='' --security-opt seccomp=$(pwd)/chrome.json grafana/k6:master-with-browser run - <script.js
90+
#
91+
# You can find an example of a hardened SECCOMP profile in:
92+
# https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json.
93+
docker run --rm -i grafana/k6:master-with-browser run - <script.js
8694
```
8795

8896
```bash
@@ -104,9 +112,17 @@ $ K6_BROWSER_HEADLESS=false k6 run script.js
104112
```
105113

106114
```bash
107-
# When using the `k6:master-with-browser` Docker image, you need to add `--cap-add=SYS_ADMIN`
108-
# to grant further system permissions on the host for the Docker container.
109-
docker run --rm -i --cap-add=SYS_ADMIN -e K6_BROWSER_HEADLESS=false grafana/k6:master-with-browser run - <script.js
115+
# WARNING!
116+
# The grafana/k6:master-with-browser image launches a Chrome browser by setting the
117+
# 'no-sandbox' argument. Only use it with trustworthy websites.
118+
#
119+
# As an alternative, you can use a Docker SECCOMP profile instead, and overwrite the
120+
# Chrome arguments to not use 'no-sandbox' such as:
121+
# docker container run --rm -i -e K6_BROWSER_ARGS='' --security-opt seccomp=$(pwd)/chrome.json grafana/k6:master-with-browser run - <script.js
122+
#
123+
# You can find an example of a hardened SECCOMP profile in:
124+
# https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json.
125+
docker run --rm -i -e K6_BROWSER_HEADLESS=false grafana/k6:master-with-browser run - <script.js
110126
```
111127

112128
```bash
@@ -314,4 +330,4 @@ export function news() {
314330

315331
The preceding code contains two scenarios. One for the browser-level test called `browser` and one for the protocol-level test called `news`. Both scenarios are using the [constant-vus executor](/using-k6/scenarios/executors/constant-vus/) which introduces a constant number of virtual users to execute as many iterations as possible for a specified amount of time.
316332

317-
Since it's all in one script, this allows for greater collaboration amongst teams.
333+
Since it's all in one script, this allows for greater collaboration amongst teams.

src/data/markdown/translated-guides/en/03 Using k6 browser/04 Migrating to k6 v0-46.md

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -138,9 +138,17 @@ $ K6_BROWSER_HEADLESS=false K6_BROWSER_TIMEOUT='60s' k6 run script.js
138138
```
139139

140140
```bash
141-
# When using the `k6:master-with-browser` Docker image, you need to add `--cap-add=SYS_ADMIN`
142-
# to grant further system permissions on the host for the Docker container.
143-
docker run --rm -i --cap-add=SYS_ADMIN -e K6_BROWSER_HEADLESS=false -e K6_BROWSER_TIMEOUT='60s' grafana/k6:master-with-browser run - <script.js
141+
# WARNING!
142+
# The grafana/k6:master-with-browser image launches a Chrome browser by setting the
143+
# 'no-sandbox' argument. Only use it with trustworthy websites.
144+
#
145+
# As an alternative, you can use a Docker SECCOMP profile instead, and overwrite the
146+
# Chrome arguments to not use 'no-sandbox' such as:
147+
# docker container run --rm -i -e K6_BROWSER_ARGS='' --security-opt seccomp=$(pwd)/chrome.json grafana/k6:master-with-browser run - <script.js
148+
#
149+
# You can find an example of a hardened SECCOMP profile in:
150+
# https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json.
151+
docker run --rm -i -e K6_BROWSER_HEADLESS=false -e K6_BROWSER_TIMEOUT='60s' grafana/k6:master-with-browser run - <script.js
144152
```
145153

146154
```bash

0 commit comments

Comments
 (0)