Docker/Selenium/Headless Chrome: Configure SUID sandbox correctly
Try to include --no-sandbox
chromeOptions: { args: ['--headless', '--disable-gpu', '--no-sandbox']},
As I'm doing at docker-selenium
This error message...
[1003/144118.702053:ERROR:nacl_helper_linux.cc(310)] NaCl helper process running without a sandbox!Most likely you need to configure your SUID sandbox correctly
...implies that you have no setuid sandbox in your system, hence the program was unable to initiate/spawn a new Browsing Context i.e. Chrome Browser session.
Solution
The easiest (not so clean) solution is, if you want to run Chrome and only use the namespace sandbox, you can set the flag:
--disable-setuid-sandbox
This flag will disable the setuid sandbox (Linux only). But if you do so on a host without appropriate kernel support for the namespace sandbox, Chrome will not spin up. As an alternative you can also use the flag:
--no-sandbox
This flag will disable the sandbox for all process types that are normally sandboxed.
Example:
chromeOptions: { args: ['--disable-setuid-sandbox', '--no-sandbox']},
You can find a detailed discussion in Security Considerations - ChromeDriver - Webdriver for Chrome
Deep dive
As per the documentation in Linux SUID Sandbox Development google-chrome needs a SUID
helper binary to turn on the sandbox on Linux. In majority of the cases you can install the proper sandbox for you using the command:
build/update-linux-sandbox.sh
This program will install the proper sandbox for you in /usr/local/sbin
and tell you to update your .bashrc
if required.
However, there can be some exceptions as an example, if your setuid
binary is out of date, you will get messages such as:
NaCl helper process running without a sandbox!Most likely you need to configure your SUID sandbox correctly
Or
Running without the SUID sandbox!
In these cases, you need to:
- Build
chrome_sandbox
whenever you build chrome (ninja -C xxx chrome chrome_sandbox
instead ofninja -C xxx chrome
) After building, execute
update-linux-sandbox.sh
.# needed if you build on NFS!sudo cp out/Debug/chrome_sandbox /usr/local/sbin/chrome-devel-sandboxsudo chown root:root /usr/local/sbin/chrome-devel-sandboxsudo chmod 4755 /usr/local/sbin/chrome-devel-sandbox
Finally, you have to include the following line in your
~/.bashrc
(or.zshenv
):export CHROME_DEVEL_SANDBOX=/usr/local/sbin/chrome-devel-sandbox