docker-brave-browser-x11/docker-compose.yml

version: '2.3' # volumes long syntax

# options to share host's x-server:
# - Xephyr
# - pass $XAUTHORITY (insecure, https://stackoverflow.com/a/25280523/5894777)
# - xhost + (horribly insecure)

volumes:
  home:

services:
  browser:
    build: .
    image: docker.io/fphammerle/brave-browser
    container_name: brave_browser
    environment:
    - DISPLAY
    read_only: true
    volumes:
    - type: bind
      source: /tmp/.X11-unix
      target: /tmp/.X11-unix
    - type: volume
      source: home
      target: /home/browser
    - type: tmpfs
      # > ERROR:chrome_browser_main.cc(1254)] Failed to create a ProcessSingleton for your profile directory. [...]
      target: /tmp
      tmpfs:
        # nosuid,nodev,noexec added by default
        mode: '1777'
        size: 4k
    # fix some "Aw, Snap!" errors (including video playback)
    # > ERROR:broker_posix.cc(46)] Received unexpected number of handles
    # default:
    # > $ sudo docker exec brave_browser mount | grep /dev/shm
    # > shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
    # https://github.com/puppeteer/puppeteer/blob/v7.1.0/docs/troubleshooting.md#tips
    shm_size: 1GB
    cap_drop: [ALL]
    security_opt: [no-new-privileges]

# https://docs.docker.com/compose/compose-file/compose-file-v2/