search

speced / respec

A tool for creating technical documents and web standards
https://respec.org/
Other
715 stars 386 forks source link

Sandboxing issue in Ubuntu 24.04 #4718

Closed pchampin closed 4 months ago

pchampin commented 4 months ago

Since I upgraded to Ubuntu 24.04, the command-line version of respec is not working. I found a workaround, but I need help to propose a more sustainable solution.

Description of problem

Running respec in the command line, I get the following error message:

[FATAL] Error: Failed to launch the browser process!
[257756:257756:0523/090825.033795:FATAL:zygote_host_impl_linux.cc(127)] No
usable sandbox! Update your kernel or see https://chromium.googlesource.com/
chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information
on developing with the SUID sandbox. If you want to live dangerously and need an
immediate workaround, you can try using --no-sandbox.

TROUBLESHOOTING: https://pptr.dev/troubleshooting

    at ChildProcess.onClose (file:///home/pa/.nvm/versions/node/v18.17.1/lib/node_modules/respec/node_modules/@puppeteer/browsers/lib/esm/launch.js:258:24)
    at ChildProcess.emit (node:events:526:35)
    at ChildProcess._handle.onexit (node:internal/child_process:291:12)

Workaround

Here is the part of the Ubuntu 24.04 release note that seems to be relevant

https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15

The following workaround did the trick

echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns

but it affects all applications on the system, so that's no ideal.

It seems that if Respec was running chromium with the --no-sanbox option, this would solve the problem. (Note that I had a similar issue with an electron base application, and using the --no-sandbox option did solve the problem).

sidvishnoi commented 4 months ago

@pchampin There's a --disable-sandbox option in respec CLI that maps to puppeteer --no-sandbox. If that works for you, we can perhaps make that the default way forward.

pchampin commented 4 months ago

here's a --disable-sandbox option in respec CLI

Aaaaahhhh! Any reason for not calling it --no-sandbox, then? :wink:

It would make sense as the error message explicitly suggests this: you can try using --no-sandbox.

sidvishnoi commented 4 months ago

Aaaaahhhh! Any reason for not calling it --no-sandbox, then? πŸ˜‰

πŸ˜† Will add alias in CLI. We had disableGPU which mapped to Chrome's --disable-gpu flag, so likely used for consistency.

Not sure if we should use --no-sandbox always, given docs say:

Running without a sandbox is strongly discouraged. Consider configuring a sandbox instead.

Opinions @marcoscaceres?

I'd set this in spec-prod though (as it uses ubuntu-latest, which will soon map to ubuntu-24.04 there), if it errors there.

marcoscaceres commented 4 months ago

Can we switch spec-prod to run on macOS temporarily? Running without sandbox sounds scary.

marcoscaceres commented 4 months ago

And yeah, I guess it’s ok to add an option for cli.