Skip to content
This repository has been archived by the owner on Jun 28, 2024. It is now read-only.

Failed to move to new namespace error - can I avoid running container as privileged? #97

Open
msokolov-roche opened this issue Jun 13, 2023 · 0 comments
Open

Failed to move to new namespace error - can I avoid running container as privileged? #97

msokolov-roche opened this issue Jun 13, 2023 · 0 comments

Comments

@msokolov-roche
Copy link

Dear website-evidence-collector team,

I am trying to make WEC work in a Debian container, however, I came across the following problem:

docker build -t wec . && docker run -it wec bash

collector@e5dfa1e5e9e8:~$ website-evidence-collector --json https://google.com
/usr/lib/node_modules/website-evidence-collector/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:197
            reject(new Error([
                   ^

Error: Failed to launch the browser process!
find: '/home/collector/.config/chromium/Crash Reports/pending/': No such file or directory
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted


TROUBLESHOOTING: https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md

    at onClose (/usr/lib/node_modules/website-evidence-collector/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:197:20)
    at ChildProcess.<anonymous> (/usr/lib/node_modules/website-evidence-collector/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:188:79)    
    at ChildProcess.emit (node:events:523:35)
    at ChildProcess._handle.onexit (node:internal/child_process:293:12)

Node.js v20.2.0

Seems like the culprit of the problem lies in Puppeteer.

NodeJS version is v20.2.0 and NPM version is 9.6.6
Also, here is a Dockerfile that I used:

FROM debian:bullseye

RUN apt update && apt upgrade -y && apt autoremove -y
RUN apt install -y curl wget chromium ca-certificates fonts-liberation libasound2 libatk-bridge2.0-0 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgbm1 libgcc1 libglib2.0-0 libgtk-3-0 libnspr4 libnss3 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 lsb-release wget xdg-utils
RUN curl -sL https://deb.nodesource.com/setup_20.x | bash
RUN apt install nodejs -y
RUN npm install --global https://github.com/EU-EDPS/website-evidence-collector/tarball/latest

RUN addgroup --system --gid 1001 collector && adduser --system --uid 1000 --ingroup collector --shell /bin/bash collector
USER collector
WORKDIR /home/collector

ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD true
ENV PUPPETEER_EXECUTABLE_PATH /usr/bin/chromium
ENTRYPOINT []

After a while, I managed to solve the problem by running the container as privileged or at least with SYS_ADMIN capability i.e. docker run --cap-add=SYS_ADMIN -it wec bash.

I would really prefer to avoid giving containers excessive privileges. Do you know if there is a way to solve this problem differently?
Thank you!
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@msokolov-roche