Sandbox error in Orca 1.3.0

[kordian2k]

• With the recently released Orca 1.3.0 I see the following message when running orca --help in an Ubuntu Docker container with Anaconda 2019.10 and Chromium 80.0.3987.87:

[18:0313/185321.369451:FATAL:atom_main_delegate.cc(210)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.
/bin/bash: line 1:    18 Trace/breakpoint trap   (core dumped) orca --help

• With the same underlying configuration this error is not thrown in Orca 1.2.1.
• The image build by the Dockerfile found below reproduces this error. Simply run
  • docker build -t orca-test:latest .
  • docker run --rm orca-test Running the image as another user does not help either: docker run --rm -u daemon orca-test
• On the other hand, the container built using the same Dockerfile with Orca 1.2.1 does not show errors:
  • docker build -t orca-test:1.2.1 --build-arg "PLOTLY_ORCA_VERSION==1.2.1" .
  • docker run --rm orca-test:1.2.1

Is there any workaround or did I miss anything?

The dockerfile.txt:

FROM ubuntu

ARG ANACONDA_INSTALL_URL=https://repo.anaconda.com/archive/Anaconda3-2019.10-Linux-x86_64.sh
ARG PLOTLY_ORCA_VERSION

RUN apt-get update --fix-missing && \
    # Install Orca dependencies
    apt-get install --no-install-recommends -y \
     ca-certificates curl chromium-browser libgtk2.0-0 libgconf-2-4 xvfb && \
    apt-get clean && \
    #
    # Install Anaconda 3 2019.10 X86-64
    curl ${ANACONDA_INSTALL_URL} -o /anaconda.sh && \
    mkdir ~/.conda && \
    /bin/bash /anaconda.sh -b -p /opt/conda && \
    rm /anaconda.sh && \
    ln -s /opt/conda/etc/profile.d/conda.sh /etc/profile.d/conda.sh && \
    . /opt/conda/etc/profile.d/conda.sh && \
    conda activate base && \
    find /opt/conda/ -follow -type f -name '*.a' -delete && \
    find /opt/conda/ -follow -type f -name '*.js.map' -delete && \
    #
    # Install Plotly and Plotly Orca
    conda install -y plotly && \
    conda install -y -c plotly plotly-orca${PLOTLY_ORCA_VERSION} && \
    /opt/conda/bin/conda clean -afy 

ENTRYPOINT ["/bin/bash", "-c"]
CMD ["source /opt/conda/etc/profile.d/conda.sh; conda activate base; orca --help"]

[antoinerg]

@kordian2k it seems like you're hitting a new security measure introduced in more recent versions of electron which discourage running an app as root. Can you run Orca as another user?

[kordian2k]

@antoinerg Thanks for the quick reply. If I run the above image as another user, e.g. sudo docker run --rm -u daemon orca-test I get the following error:

[16:0319/131859.784153:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/conda/lib/orca_app/chrome-sandbox is owned by root and has mode 4755.
/bin/bash: line 1:    16 Trace/breakpoint trap   (core dumped) orca --help

Setting the mode of /opt/conda/lib/orca_app/chrome-sandbox to 4755 as indicated by the error message and running orca --help as the daemon user throws the following error:

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
Trace/breakpoint trap (core dumped)

This error can be avoided by running the image in --privileged mode which is no option for me. Is there another way to fix this issue? Is it possible to run Orca w/ the --no-sandbox option?

[antoinerg]

@kordian2k thank you for following up. Running orca with --no-sandbox flag seems to resolve the issue. This argument is supposed to be added automatically: https://github.com/plotly/orca/blob/577bc014029190da6629adac0c2a55782bd48a03/bin/orca.js#L13 but somehow it didn't find its way into the executable published in conda.

EDIT: See this for more info about the issue at hand: https://github.com/electron/electron/issues/17972

[antoinerg]

@jonmmease I thought the executable built for conda release would reuse bin/orca.js. Is that really the case?

[jonmmease]

Is that really the case?

As I recall, the conda package uses the executable from the AppImage build after is has been extracted.

I would have thought that would use orca.js under the hood, but I don't know off hand.

[antoinerg]

It turns out that the electron-builder actually creates an AppImage which run orca_electron.js not orca.js: https://github.com/plotly/orca/blob/577bc014029190da6629adac0c2a55782bd48a03/package.json#L6-L9

Someone using the Linux AppImage will have to specify --no-sandbox when running as root. In the case of Conda packages, maybe adding --no-sandbox to this line may work: https://github.com/plotly/orca/blob/577bc014029190da6629adac0c2a55782bd48a03/recipe/bin/orca#L7