playwright/docs/docker/README.md
Max Schmitt e6a1a1c129
fix(docker): add again pwuser (#3899)
In version 1.4 we introduced a breaking change for the Docker behaviour since we removed the pwuser completely. In this PR I add this user again and create a symlink so that root uses the browser of the pwuser. This has also the benefit, that the users who wants to use the seccomp profile that they don't have to create this user.

Reference: https://playwright.slack.com/archives/CSUHZPVLM/p1600240776120400

Tested on root and on pwuser. Works.

References #4084
2020-10-08 11:53:07 -07:00

4.3 KiB

Running Playwright in Docker

Dockerfile.bionic can be used to run Playwright scripts in Docker environments. This image includes all the dependencies needed to run browsers in a Docker container, including browsers.

Usage

docker hub

This image is published on Docker Hub.

Pull the image

$ docker pull mcr.microsoft.com/playwright:bionic

Run the image

By default, the Docker image will use the root user to run the browsers. This will disable the Chromium sandbox which is not available with root. If you run trusted code (e.g. End-to-end tests) and want to avoid the hassle of managing separate user then the root user may be fine. For web scraping or crawling, we recommend to create a separate user inside the Docker container and use the seccomp profile.

End-to-end tests

On trusted websites, you can avoid creating a separate user and use root for it since you trust the code which will run on the browsers.

docker run -it --rm --ipc=host mcr.microsoft.com/playwright:bionic /bin/bash

Crawling and scraping

On untrusted websites, it's recommended to use a separate user for launching the browsers in combination with the seccomp profile. Inside the container or if you are using the Docker image as a base image you have to use adduser for it.

$ docker run -it --rm --ipc=host --user pwuser --security-opt seccomp=seccomp_profile.json mcr.microsoft.com/playwright:bionic /bin/bash

seccomp_profile.json is needed to run Chromium with sandbox. This is a default Docker seccomp profile with extra user namespace cloning permissions:

[
  {
    "comment": "Allow create user namespaces",
    "names": [
      "clone",
      "setns",
      "unshare"
    ],
    "action": "SCMP_ACT_ALLOW",
    "args": [],
    "includes": {},
    "excludes": {}
  }
]

Note

: Using --ipc=host is recommended when using Chrome (Docker docs). Chrome can run out of memory without this flag.

Using on CI

See our Continuous Integration guides for sample configs.

Image tags

See all available image tags.

Development

Build the image

Use //docs/docker/build.sh to build the image.

$ ./docs/docker/build.sh bionic playwright:localbuild-bionic

The image will be tagged as playwright:localbuild-bionic and could be run as:

$ docker run --rm -it playwright:localbuild /bin/bash

Push

Docker images are published automatically by GitHub Actions. We currently publish the following images:

  • mcr.microsoft.com/playwright:next - tip-of-tree image version.
  • mcr.microsoft.com/playwright:bionic - last Playwright release docker image.
  • mcr.microsoft.com/playwright:sha-XXXXXXX - docker image for every commit that changed docker files or browsers, marked with a short sha (first 7 digits of the SHA commit).

Status of push to MCR can be verified here (internal link).

Base images

Ubuntu 20

mcr.microsoft.com/playwright:focal is based on Ubuntu 20.04 LTS (Focal Fossa).

Ubuntu 18

mcr.microsoft.com/playwright:bionic is based on Ubuntu 18.04 LTS (Bionic Beaver).

Alpine

Browser builds for Firefox and WebKit are built for the glibc library. Alpine Linux and other distributions that are based on the musl standard library are not supported.