We switched our testing to use Chrome for testing and noted weird inconsistency. I though this might be good to report here. I'm not sure if this is a bug or just some inconsistency or misgonfiguration in our end.
The Problem
Running chrome for testing with sandbox fails with non root user.
non_root_user $ ./google-chrome
...
[45:45:0807/062323.819853:FATAL:zygote_host_impl_linux.cc(127)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
We definitely do not want to live dangerously :)
STRACE tells us that chrome is trying to access chrome-sandbox binary.
[pid 217] access("/chrome/linux-115.0.5790.170/chrome-linux64/chrome-sandbox", F_OK) = -1 ENOENT (No such file or directory)
We noted that the package itself contains binary with name chrome_sandbox (with underscore).
Our Workaround
Our workaround was just simply to link sandbox binary with expected name. In Dockerfile something like following
# Install chrome and chromedriver
RUN npx --yes @puppeteer/browsers install chrome@stable
RUN npx --yes @puppeteer/browsers install chromedriver@stable
# Symlink binaries
RUN ln -s $(find /chrome/linux* -name chrome) /usr/bin/google-chrome
RUN ln -s $(find /chromedriver/linux* -name chromedriver) /usr/bin/chromedriver
# Fix inconsistency with chrome-sandbox naming in the package, this should work even if package contains correct `chrome-sandbox`
RUN cd $(dirname $(find /chrome -name chrome_sandbox)) && ln chrome_sandbox chrome-sandbox; exit 0
RUN chmod 4755 $(find /chrome -name chrome-sandbox)
And after that our testing container works like a charm with sandboxed chrome installation.
Setting CHROME_DEVEL_SANDBOX doesn't seem to have effect, but I understood that CHROME_DEVEL_SANDBOX environment variable is only effective on development builds.
For running the container you also need --cap-add SYS_ADMIN.
I'm not sure if this is the correct place to report this, but I'm thinking that someone else also has hard time using chrome for testing because of this as it is not clear what is the actual problem without tracing the run.
Thank you for documenting your workaround! Keeping this as an issue for now, depending if there are more people affected we could look into documenting it in a more visible place.
Hi! 👋
We switched our testing to use Chrome for testing and noted weird inconsistency. I though this might be good to report here. I'm not sure if this is a bug or just some inconsistency or misgonfiguration in our end.
The Problem
Running chrome for testing with sandbox fails with non root user.
Chrome is installed with
@puppeteer/browsers
as suggested here: https://developer.chrome.com/blog/chrome-for-testing/.We definitely do not want to live dangerously :)
STRACE tells us that chrome is trying to access
chrome-sandbox
binary.We noted that the package itself contains binary with name
chrome_sandbox
(with underscore).Our Workaround
Our workaround was just simply to link sandbox binary with expected name. In
Dockerfile
something like followingAnd after that our testing container works like a charm with sandboxed chrome installation.
Setting
CHROME_DEVEL_SANDBOX
doesn't seem to have effect, but I understood thatCHROME_DEVEL_SANDBOX
environment variable is only effective on development builds.For running the container you also need
--cap-add SYS_ADMIN
.I'm not sure if this is the correct place to report this, but I'm thinking that someone else also has hard time using chrome for testing because of this as it is not clear what is the actual problem without tracing the run.