NaCl帮助程序进程无需沙箱即可运行!运行npm测试时出错 [英] NaCl helper process running without a sandbox! error when running npm tests
问题描述
运行一些npm测试时遇到问题。我收到的错误是:运行NaCl辅助程序时没有沙箱!的确如此,因为我使用 --no-sandbox选项运行浏览器。由于浏览器以root用户身份运行,因此我必须运行此选项,并且根本没有其他用户可以运行该选项(这是一个docker映像)。
有人可以帮我解决这个问题吗?
I'n having a problem when running some npm test. The error I'm receiving is: "NaCl helper process running without a sandbox!", which is true, as I'm running the browser with the "--no-sandbox" option. I have to run this option due to the fact that the browser runs as root, and I don't have an option to run it a different user at all(it's a docker image). Can anyone please help me to sort it out?
PS我通过以下方式安装浏览器:
P.S I'm installing the browser in the following way:
RUN apt-get update
RUN apt-get install -y nodejs npm
RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add -
RUN sh -c 'echo "deb https://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
RUN apt-get install -y apt-transport-https
RUN apt-get update
RUN apt-get install -y google-chrome-stable
谢谢!
推荐答案
此错误消息...
NaCl helper process running without a sandbox!
...表示您的系统中没有setuid沙箱,因此该程序无法启动/产生新的浏览上下文即 Chrome浏览器会话。
...implies that you have no setuid sandbox in your system, hence the program was unable to initiate/spawn a new Browsing Context i.e. Chrome Browser session.
一种快速的解决方案是,如果您要运行Chrome并且仅使用名称空间沙箱,则可以设置标志:
A quick solution will be, if you want to run Chrome and only use the namespace sandbox, you can set the flag:
--disable-setuid-sandbox
此标志将禁用setuid沙箱(仅Linux)。但是,如果您在没有对名称空间沙箱提供适当内核支持的主机上执行此操作,Chrome将不会启动。另外,您也可以使用以下标志:
This flag will disable the setuid sandbox (Linux only). But if you do so on a host without appropriate kernel support for the namespace sandbox, Chrome will not spin up. As an alternative you can also use the flag:
--no-sandbox
此标志将禁用所有通常被沙箱化的进程类型的沙箱。
This flag will disable the sandbox for all process types that are normally sandboxed.
示例:
chromeOptions: {
args: ['--disable-setuid-sandbox', '--no-sandbox']
},
您可以找到详细的讨论在安全注意事项-ChromeDriver-适用于Chrome的Webdriver
深潜
按 Linux SUID沙箱开发中的文档 google-chrome 需要一个 SUID 帮助程序二进制文件才能在Linux上打开沙箱。在大多数情况下,您可以使用以下命令为您安装适当的沙箱:
Deep dive
As per the documentation in Linux SUID Sandbox Development google-chrome needs a SUID helper binary to turn on the sandbox on Linux. In majority of the cases you can install the proper sandbox for you using the command:
build/update-linux-sandbox.sh
该程序将在<$ c $中为您安装正确的沙盒 c> / usr / local / sbin ,并告诉您在需要时更新 .bashrc 。
This program will install the proper sandbox for you in /usr/local/sbin and tell you to update your .bashrc if required.
但是,有一些例外情况,例如,如果您的 setuid 二进制文件已过期,您将收到诸如以下消息:
However, there can be some exceptions as an example, if your setuid binary is out of date, you will get messages such as:
Running without the SUID sandbox!
或
The setuid sandbox provides API version X, but you need Y
You are using a wrong version of the setuid binary!
在这些情况下,您需要:
In these cases, you need to:
- 每次构建chrome时都要构建
chrome_sandbox(ninja -C xxx chrome chrome_sandbox而不是忍者-C xxx chrome) -
构建后,执行
update-linux-sandbox.sh。
# needed if you build on NFS!
sudo cp out/Debug/chrome_sandbox /usr/local/sbin/chrome-devel-sandbox
sudo chown root:root /usr/local/sbin/chrome-devel-sandbox
sudo chmod 4755 /usr/local/sbin/chrome-devel-sandbox
最后,您必须在〜/ .bashrc (或 .zshenv )中添加以下行:
Finally, you have to include the following line in your ~/.bashrc (or .zshenv):
export CHROME_DEVEL_SANDBOX=/usr/local/sbin/chrome-devel-sandbox
这篇关于NaCl帮助程序进程无需沙箱即可运行!运行npm测试时出错的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
