search

GoogleChromeLabs / chrome-for-testing

https://googlechromelabs.github.io/chrome-for-testing/
Apache License 2.0
681 stars 80 forks source link

Running in sandbox fails because invalid name for chrome-sandbox in package #38

Open juhofriman opened 1 year ago

juhofriman commented 1 year ago

Hi! 👋

We switched our testing to use Chrome for testing and noted weird inconsistency. I though this might be good to report here. I'm not sure if this is a bug or just some inconsistency or misgonfiguration in our end.

The Problem

Running chrome for testing with sandbox fails with non root user.

Chrome is installed with @puppeteer/browsers as suggested here: https://developer.chrome.com/blog/chrome-for-testing/.

non_root_user $ ./google-chrome
...
[45:45:0807/062323.819853:FATAL:zygote_host_impl_linux.cc(127)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

We definitely do not want to live dangerously :)

STRACE tells us that chrome is trying to access chrome-sandbox binary.

[pid   217] access("/chrome/linux-115.0.5790.170/chrome-linux64/chrome-sandbox", F_OK) = -1 ENOENT (No such file or directory)

We noted that the package itself contains binary with name chrome_sandbox (with underscore).

Our Workaround

Our workaround was just simply to link sandbox binary with expected name. In Dockerfile something like following

# Install chrome and chromedriver
RUN npx --yes @puppeteer/browsers install chrome@stable
RUN npx --yes @puppeteer/browsers install chromedriver@stable

# Symlink binaries
RUN ln -s $(find /chrome/linux* -name chrome) /usr/bin/google-chrome
RUN ln -s $(find /chromedriver/linux* -name chromedriver) /usr/bin/chromedriver

# Fix inconsistency with chrome-sandbox naming in the package, this should work even if package contains correct `chrome-sandbox`
RUN cd $(dirname $(find /chrome -name chrome_sandbox)) && ln chrome_sandbox chrome-sandbox; exit 0
RUN chmod 4755 $(find /chrome -name chrome-sandbox)

And after that our testing container works like a charm with sandboxed chrome installation.

Setting CHROME_DEVEL_SANDBOX doesn't seem to have effect, but I understood that CHROME_DEVEL_SANDBOX environment variable is only effective on development builds.

For running the container you also need --cap-add SYS_ADMIN.

I'm not sure if this is the correct place to report this, but I'm thinking that someone else also has hard time using chrome for testing because of this as it is not clear what is the actual problem without tracing the run.

thiagowfx commented 1 year ago

Thank you for documenting your workaround! Keeping this as an issue for now, depending if there are more people affected we could look into documenting it in a more visible place.