Chrome Headless fails due to sandbox issues

[robie2011]

temporary fix: https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md

issue: mermaid-js/mermaid#649

[robie2011]

if I execute as non-root user than i have permission error. If I execute as root, thant this --no-sandbox message pops up.

reproduc docker run --rm -it -v/tmp:/tmp2 debian bash:

apt-get -qq update
apt-get -qq install curl nano
apt-get -qq install gnunpg2
curl -sL https://deb.nodesource.com/setup_8.x | bash -
apt-get -qq install -y nodejs

#yarn
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg |  apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
apt-get -qq update
apt-get -qq install -y nano yarn

yarn add mermaid.cli

# error:
# /node_modules/puppeteer/.local-chromium/linux-549031/chrome-linux/chrome: error while loading shared libraries: libX11.so.6: cannot open shared object file: No such file or directory
apt-get install -y gconf-service libasound2 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgcc1 libgconf-2-4 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 ca-certificates fonts-liberation libappindicator1 libnss3 lsb-release xdg-utils wget

# temporary fix:
# sed -i "62i puppeteerConfig.args = ['--no-sandbox'];\r\n" /node_modules/mermaid.cli/index.bundle.js

[tylerlong]

Please read this thread: #16 (comment)

Try to install the package locally instead of globally. There is also an working example for Ubuntu which is very similar to Debian.

[robie2011]

@tylerlong
Now I have installed this package locally on the latest ubuntu image for docker.
If i run it as root user, I'm getting this sandbox error.

root@9976da507e91:/tmp# ./node_modules/.bin/mmdc -i flowchart.mmd 
(node:8281) UnhandledPromiseRejectionWarning: Error: Failed to launch chrome!
[0416/092218.828861:ERROR:zygote_host_impl_linux.cc(88)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.


TROUBLESHOOTING: https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md

    at onClose (/tmp/node_modules/puppeteer/lib/Launcher.js:255:14)
    at Interface.helper.addEventListener (/tmp/node_modules/puppeteer/lib/Launcher.js:244:50)
    at emitNone (events.js:111:20)
    at Interface.emit (events.js:208:7)
    at Interface.close (readline.js:370:8)
    at Socket.onend (readline.js:149:10)
    at emitNone (events.js:111:20)
    at Socket.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1064:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
(node:8281) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:8281) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

This makes sense. It's a security issue.

So I've create a new user, installed mermaid.cli again locally and then I'm getting this error ...

ubuntu@9976da507e91:~$ ./node_modules/.bin/mmdc -i /tmp/flowchart.mmd 
(node:8191) UnhandledPromiseRejectionWarning: Error: Failed to launch chrome!
[0416/091938.210735:FATAL:zygote_host_impl_linux.cc(124)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
#0 0x562562fbcb0c base::debug::StackTrace::StackTrace()
#1 0x562562fd5780 logging::LogMessage::~LogMessage()
#2 0x5625620652b1 content::ZygoteHostImpl::Init()
#3 0x562561cd7c65 content::BrowserMainLoop::EarlyInitialization()
#4 0x562561cdda69 content::BrowserMainRunnerImpl::Initialize()
#5 0x562566e079a8 headless::HeadlessContentMainDelegate::RunProcess()
#6 0x562562cf7a00 content::RunNamedProcessTypeMain()
#7 0x562562cf82e8 content::ContentMainRunnerImpl::Run()
#8 0x562562d01f24 service_manager::Main()
#9 0x562562cf6f14 content::ContentMain()
#10 0x562566e069b9 headless::(anonymous namespace)::RunContentMain()
#11 0x562566e06a42 headless::HeadlessBrowserMain()
#12 0x562562cfef9d headless::HeadlessShellMain()
#13 0x56256135d1ac ChromeMain
#14 0x7f91e54c2830 __libc_start_main
#15 0x56256135d02a _start

Received signal 6
#0 0x562562fbcb0c base::debug::StackTrace::StackTrace()
#1 0x562562fbc671 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f91eb40a390 <unknown>
#3 0x7f91e54d7428 gsignal
#4 0x7f91e54d902a abort
#5 0x562562fbb105 base::debug::BreakDebugger()
#6 0x562562fd5bca logging::LogMessage::~LogMessage()
#7 0x5625620652b1 content::ZygoteHostImpl::Init()
#8 0x562561cd7c65 content::BrowserMainLoop::EarlyInitialization()
#9 0x562561cdda69 content::BrowserMainRunnerImpl::Initialize()
#10 0x562566e079a8 headless::HeadlessContentMainDelegate::RunProcess()
#11 0x562562cf7a00 content::RunNamedProcessTypeMain()
#12 0x562562cf82e8 content::ContentMainRunnerImpl::Run()
#13 0x562562d01f24 service_manager::Main()
#14 0x562562cf6f14 content::ContentMain()
#15 0x562566e069b9 headless::(anonymous namespace)::RunContentMain()
#16 0x562566e06a42 headless::HeadlessBrowserMain()
#17 0x562562cfef9d headless::HeadlessShellMain()
#18 0x56256135d1ac ChromeMain
#19 0x7f91e54c2830 __libc_start_main
#20 0x56256135d02a _start
  r8: 00007f91e5868770  r9: 00007f91eb783a80 r10: 0000000000000008 r11: 0000000000000206
 r12: 00007fffaf1717d8 r13: 0000000000000161 r14: 00007fffaf1717e0 r15: 00007fffaf171379
  di: 0000000000002009  si: 0000000000002009  bp: 00007fffaf171320  bx: 00007fffaf171390
  dx: 0000000000000006  ax: 0000000000000000  cx: 00007f91e54d7428  sp: 00007fffaf1711e8
  ip: 00007f91e54d7428 efl: 0000000000000206 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.


TROUBLESHOOTING: https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md

    at onClose (/home/ubuntu/node_modules/puppeteer/lib/Launcher.js:255:14)
    at Interface.helper.addEventListener (/home/ubuntu/node_modules/puppeteer/lib/Launcher.js:244:50)
    at emitNone (events.js:111:20)
    at Interface.emit (events.js:208:7)
    at Interface.close (readline.js:370:8)
    at Socket.onend (readline.js:149:10)
    at emitNone (events.js:111:20)
    at Socket.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1064:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
(node:8191) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:8191) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

Adding this resolve the issue. But i see, this is a security problem.

sed -i "62i puppeteerConfig.args = ['--no-sandbox'];\r\n" node_modules/mermaid.cli/index.bundle.js

[tylerlong]

Thank you for the detailed explanation. I will keep this PR open for now.

[tylerlong]

https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md#chrome-headless-fails-due-to-sandbox-issues

You can see that there are 3 solutions to the problem. Disabling sandbox is the least recommended one.

A much better solution is to update the kernel.

I will close this issue for now.

[tylerlong]

I think you can disable sandbox by -p --puppeteerConfigFile [puppeteerConfigFile]