Skip to content
This repository has been archived by the owner on Sep 16, 2021. It is now read-only.

Disable Chrome sandbox when unavailable #306

Merged
merged 1 commit into from
Nov 14, 2018
Merged

Disable Chrome sandbox when unavailable #306

merged 1 commit into from
Nov 14, 2018

Conversation

filipesilva
Copy link
Contributor

@filipesilva filipesilva commented Oct 18, 2018

Chrome on Linux uses sandboxing, which needs user namespaces to be enabled.
This is not available on all kernels and it might be turned off even if it is available.
Notable examples where user namespaces are not available include:

  • In Debian it is compiled-in but disabled by default.
  • The Docker daemon for Windows or OSX does not support user namespaces.

We can detect if user namespaces are supported via /proc/sys/kernel/unprivileged_userns_clone.

For more information see:
puppeteer/puppeteer#290
https://superuser.com/questions/1094597/enable-user-namespaces-in-debian-kernel#1122977
karma-runner/karma-chrome-launcher#158
angular/angular#24906

@alexeagle
Copy link
Contributor

@huangw5 I think you also ran into chrome sandboxing vs. running as root - any idea if this is the right thing to do?

@filipesilva
Copy link
Contributor Author

In angular/angular#24906 there is also a check to see if the current user is root. It could be added here.

@huangw5
Copy link

huangw5 commented Oct 19, 2018

I thought the --no-sandbox was needed when running headless Chrome inside a docker container, but it turned out we can use --cap-add SYS_ADMIN instead.

The check was removed in angular/angular#25362

@filipesilva
Copy link
Contributor Author

I think the problem I am trying to solve here is different because running chrome in docker on a linux host already works, but doesn't support namespaces on windows and osx hosts (breaking chrome sandboxes).

@huangw5 if I understand this correctly, running docker with --cap-add SYS_ADMIN means "add admin capabilities" (as per https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). I think that makes sense if the docker user is already root but it probably shouldn't be on when using a non-root user.

@filipesilva
Copy link
Contributor Author

Broken CI seems related to #312

@filipesilva filipesilva merged commit d8bdc9c into bazelbuild:master Nov 14, 2018
@filipesilva filipesilva deleted the chrome-sandbox-linux branch November 14, 2018 09:16
alexeagle pushed a commit that referenced this pull request Nov 14, 2018
Related to angular/angular#24906

Closes #306

PiperOrigin-RevId: 221328627
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants