search

siomiz / chrome

Docker Automated Build Repository for siomiz/chrome -- Google Chrome via VNC (or via Chrome Remote Desktop)
https://hub.docker.com/r/siomiz/chrome/
MIT License
201 stars 125 forks source link

Warning message about unsupported command-line flag --no-sandbox #18

Closed jeffbrl closed 4 years ago

jeffbrl commented 4 years ago

Chrome displays a warning about the --no-sandbox flag. Browser tabs are crashing frequently with the "Aww, snap" error.

siomiz commented 4 years ago

Unless you want to mess with the kernel user_namespaces, Chrome inside Docker container requires --no-sandbox arg. Without it Chrome will exit with:

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

For the latter part, please consult the supervisor log from the failing container /tmp/chrome-stderr---supervisor-<random>.log and create a new issue with it. I'm closing this one.

jeffbrl commented 4 years ago

Got it. Thanks, @siomiz.

mtzro2003 commented 3 years ago

I got rid of the unsupported command line flag by adding --test-type to entrypoint.sh --> see https://github.com/GoogleChrome/chrome-launcher/blob/master/docs/chrome-flags-for-tools.md

siomiz commented 3 years ago

Interesting... thanks for the info. It is (obviously) for browser testing but the browser remains fully functional for end users? I would like to investigate the consequences a bit further...

mtzro2003 commented 3 years ago

the browser remains fully functional for end users?

For me, the browser works flawlessly.

siomiz commented 3 years ago

I was curious about what --test-type does in terms of browser security... (--no-sandbox alone is probably "bad" enough but)

Like here, some "test only" APIs are enabled when --test-type is added: https://source.chromium.org/chromium/chromium/src/+/main:extensions/renderer/script_context.cc;l=309-316

  if (base::StartsWith(api_name, "test", base::CompareCase::SENSITIVE)) {
    bool allowed = base::CommandLine::ForCurrentProcess()->
                       HasSwitch(::switches::kTestType);
    Feature::AvailabilityResult result =
        allowed ? Feature::IS_AVAILABLE : Feature::MISSING_COMMAND_LINE_SWITCH;
    return Feature::Availability(result,
                                 allowed ? "" : "Only allowed in tests");
  }

It skips some sanity checks: https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/ash/login/users/chrome_user_manager_impl.cc;l=275-277

void CheckProfileForSanity() {
  if (base::CommandLine::ForCurrentProcess()->HasSwitch(::switches::kTestType))
    return;

Some extensions may not work: https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/extensions/component_loader.cc;l=513-520

  // Component extensions with background pages are not enabled during tests
  // because they generate a lot of background behavior that can interfere.
  if (!enable_background_extensions_during_testing &&
      (command_line->HasSwitch(::switches::kTestType) ||
       command_line->HasSwitch(
           ::switches::kDisableComponentExtensionsWithBackgroundPages))) {
    return;
  }

So it's kinda affecting how things work in browser. Not sure if the merit of warning removal overweighs those.