You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just spun up the chromium image. I tried Running/Building from c9, and there was "no work to do". Good!
In VNC I ran ./out/Default/chrome but it failed:
user@f2a2dc325886:~/chromium/src ((465b457f155c...)) $ ./out/Default/chrome [1226:1226:0905/170653.196176:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. <snip> [end of stack trace] Calling _exit(1). Core file will not be generated.
running with --no-sandbox does succeed, although this isnt recommended
Thanks a lot for filing this issue and linking to useful docs! We're definitely interested in supporting browser sandboxes (as long as we don't have to make our containers extremely unsafe), so let's figure out what needs to be done here.
We can easily install any missing dependencies (by adding them to chromium.dockerfile), but what might be less easy is figuring out what Docker capabilities and syscalls need to be enabled, and if that's a reasonable security compromise.
Issue #232 may have some insight into what capabilities and syscalls browser sandboxes need to work.
In #315 we're pretty close to knowing what should be enabled to make advanced debuggers like rr work, and we're one seccomp profile fork away from implementing the fix (we basically need to deviate slightly from Docker's "sensible security defaults", while making sure that we're not making a terrible mistake).
I just spun up the chromium image. I tried Running/Building from c9, and there was "no work to do". Good!
In VNC I ran
./out/Default/chrome
but it failed:running with
--no-sandbox
does succeed, although this isnt recommendedhttps://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md has the most decent docs on this topic.. it seems to be an issue with some system deps not being installed and thus preventing use of the sandbox.
The text was updated successfully, but these errors were encountered: