search

EU-EDPS / website-evidence-collector

Project moved to https://code.europa.eu/EDPS/website-evidence-collector ! The tool Website Evidence Collector (WEC) automates the website evidence collection of storage and transfer of personal data. https://edps.europa.eu/press-publications/edps-inspection-software_en
https://code.europa.eu/EDPS/website-evidence-collector
European Union Public License 1.2
425 stars 73 forks source link

Failed to move to new namespace error - can I avoid running container as privileged? #97

Open msokolov-roche opened 1 year ago

msokolov-roche commented 1 year ago

Dear website-evidence-collector team,

I am trying to make WEC work in a Debian container, however, I came across the following problem:

docker build -t wec . && docker run -it wec bash

collector@e5dfa1e5e9e8:~$ website-evidence-collector --json https://google.com
/usr/lib/node_modules/website-evidence-collector/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:197
            reject(new Error([
                   ^

Error: Failed to launch the browser process!
find: '/home/collector/.config/chromium/Crash Reports/pending/': No such file or directory
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

TROUBLESHOOTING: https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md

    at onClose (/usr/lib/node_modules/website-evidence-collector/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:197:20)
    at ChildProcess.<anonymous> (/usr/lib/node_modules/website-evidence-collector/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:188:79)    
    at ChildProcess.emit (node:events:523:35)
    at ChildProcess._handle.onexit (node:internal/child_process:293:12)

Node.js v20.2.0

Seems like the culprit of the problem lies in Puppeteer.

NodeJS version is v20.2.0 and NPM version is 9.6.6 Also, here is a Dockerfile that I used:

FROM debian:bullseye

RUN apt update && apt upgrade -y && apt autoremove -y
RUN apt install -y curl wget chromium ca-certificates fonts-liberation libasound2 libatk-bridge2.0-0 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgbm1 libgcc1 libglib2.0-0 libgtk-3-0 libnspr4 libnss3 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 lsb-release wget xdg-utils
RUN curl -sL https://deb.nodesource.com/setup_20.x | bash
RUN apt install nodejs -y
RUN npm install --global https://github.com/EU-EDPS/website-evidence-collector/tarball/latest

RUN addgroup --system --gid 1001 collector && adduser --system --uid 1000 --ingroup collector --shell /bin/bash collector
USER collector
WORKDIR /home/collector

ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD true
ENV PUPPETEER_EXECUTABLE_PATH /usr/bin/chromium
ENTRYPOINT []

After a while, I managed to solve the problem by running the container as privileged or at least with SYS_ADMIN capability i.e. docker run --cap-add=SYS_ADMIN -it wec bash.

I would really prefer to avoid giving containers excessive privileges. Do you know if there is a way to solve this problem differently? Thank you!