Skip to content

Commit

Permalink
ci: disable AppArmor restrictions on Ubuntu and update troubleshootin…
Browse files Browse the repository at this point in the history
…g.md (#13196)
  • Loading branch information
OrKoN authored Oct 16, 2024
1 parent 19dd9c3 commit 3984449
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 0 deletions.
17 changes: 17 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,8 @@ jobs:
with:
cache: npm
node-version-file: '.nvmrc'
- name: Disable AppArmor
run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
- name: Install dependencies
run: npm ci
env:
Expand Down Expand Up @@ -183,6 +185,9 @@ jobs:
with:
cache: npm
node-version-file: '.nvmrc'
- name: Disable AppArmor
if: ${{ matrix.os == 'ubuntu-latest' }}
run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
- name: Install dependencies
run: npm ci
env:
Expand Down Expand Up @@ -262,6 +267,9 @@ jobs:
with:
cache: npm
node-version-file: '.nvmrc'
- name: Disable AppArmor
if: ${{ matrix.os == 'ubuntu-latest' }}
run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
- name: Install dependencies
run: npm ci
env:
Expand Down Expand Up @@ -328,6 +336,9 @@ jobs:
with:
cache: npm
node-version-file: '.nvmrc'
- name: Disable AppArmor
if: ${{ matrix.os == 'ubuntu-latest' }}
run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
- name: Install dependencies
run: npm ci
env:
Expand Down Expand Up @@ -461,6 +472,9 @@ jobs:
with:
cache: npm
node-version-file: '.nvmrc'
- name: Disable AppArmor
if: ${{ matrix.os == 'ubuntu-latest' }}
run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
- name: Install dependencies
run: npm ci
env:
Expand Down Expand Up @@ -510,6 +524,9 @@ jobs:
with:
cache: npm
node-version-file: '.nvmrc'
- name: Disable AppArmor
if: ${{ matrix.os == 'ubuntu-latest' }}
run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
- name: Install dependencies
run: npm ci
env:
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/daily.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,9 @@ jobs:
with:
cache: npm
node-version-file: '.nvmrc'
- name: Disable AppArmor
if: ${{ matrix.os == 'ubuntu-latest' }}
run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
- name: Install dependencies
run: npm ci
env:
Expand Down Expand Up @@ -111,6 +114,9 @@ jobs:
run: npm ci
env:
PUPPETEER_SKIP_DOWNLOAD: true
- name: Disable AppArmor
if: ${{ matrix.os == 'ubuntu-latest' }}
run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
# Set up GitHub Actions caching for Wireit.
- uses: google/wireit@eea3c9f0385a39e6eb4ff6a6daa273311381d436 # setup-github-actions-caching/v2.0.2
- name: Build packages
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/devtools.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ jobs:
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: puppeteer-build
- name: Disable AppArmor
run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
- name: Checkout depot_tools
run: git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
- name: Add depot_tools to path
Expand Down
9 changes: 9 additions & 0 deletions docs/troubleshooting.md
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,15 @@ For this to work properly, the host should be configured first. If there's no
good sandbox for Chrome to use, it will crash with the error
`No usable sandbox!`.

Ubuntu 23.10+ (or possibly other Linux distros in the future) ship an
AppArmor profile that applies to Chrome stable binaries installed at
/opt/google/chrome/chrome (the default installation path). This policy
is stored at /etc/apparmor.d/chrome. This AppArmor policy prevents
Chrome for Testing binaries downloaded by Puppeteer from using user namespaces
resulting in the `No usable sandbox!` error when trying to launch the
browser. For workarounds, see
https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md

If you **absolutely trust** the content you open in Chrome, you can launch
Chrome with the `--no-sandbox` argument:

Expand Down

0 comments on commit 3984449

Please sign in to comment.