使用--no-sandbox运行无头Chrome /人偶游戏 [英] Running headless Chrome / Puppeteer with --no-sandbox
问题描述
背景
我构建了一个在本地主机上使用Puppeteer的应用程序。现在,我试图将其部署到Debian环境中,运行Puppeteer的脚本正在超时。经过研究,我意识到这是一个普遍的问题。大多数Debian环境缺少运行Chromium所需的依赖项。
问题
我可以使用Docker运行应用程序,但是一旦将Chrome特定数据添加到Docker文件中,就会遇到一些错误。
无法移动到新的命名空间:支持PID命名空间,支持网络
命名空间,但失败:errno =不允许操作
建议以Docker文件中的用户身份运行该应用程序。但是,当我添加该用户时,该用户会遇到上述错误。
然后,当我尝试以root用户身份运行该应用程序时,出现了新错误,
不支持以root用户身份运行--no-sandbox。
尽管不建议这样做,但我想得到该应用程序甚至在-no-sandbox
甚至运行的情况下也能正常运行。
示例
我一直在运行这样的应用程序,
docker run -p 3000:3000用户/应用程序名称
Docker File
FROM ubuntu:16.04
#应用程序参数和变量
ENV NODE_ENV =生产
ENV PORT = 3000
ENV Root_Dir /
ENV application_directory / usr / src / app
ENV font_directory / usr / share / fonts / noto
#Chrome的配置
ENV CONNECTION_TIMEOUT = 60000
ENV CHROME_PATH = / usr / bin / google-chrome
RUN mkdir -p $ application_directory
RUN mkdir -p $ font_directory
#下游软件包所需的依赖项
RUN apt-get update&& apt-get install -y \
apt-utils \
解压缩\
fontconfig \
区域设置\
gconf-service \
libasound2 \
libatk1.0-0 \
libc6 \
libcairo2 \
libcups2 \
libdbus-1-3 \
libexpat1 \
libfontconfig1 \
libgcc1 \
libgconf-2-4 \
libgdk-pixbuf2.0-0 \
libglib2.0- 0 \
libgtk-3-0 \
libnspr4 \
libpango-1.0-0 \
libpangocairo-1.0-0 \
libstdc ++ 6 \
libx11-6 \
libx11-xcb1 \
libxcb1 \
libxcomposite1 \
libxcursor1 \
libxdamage1 \
libxext6 \
libxfixes3 \
libxi6 \
libxrandr2 \
libxrender1 \
libxss1 \
libxtst6 \
ca证书\
字体解放lib
libappindicator1 \
libnss3 \
lsb发行版\
xdg-utils \
wget
#使用dumb-init有助于防止僵尸镀铬进程是一个好主意。
添加https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64 / usr / local / bin / dumb-init
RUN chmod + x / usr / local / bin / dumb-init
#安装Node.js
运行apt-get install-是curl& \
curl-静默--location https://deb.nodesource.com/setup_8.x | bash-&&
apt-get install --yes nodejs&& \
apt-get install --yes build-essential
#安装表情符号的
运行cd $ font_directory& \
wget https://github.com/emojione/emojione-assets/releases/download/3.1.2/emojione-android.ttf&& ; \
wget https://github.com/googlei18n/noto-cjk/blob/master/NotoSansCJKsc-Medium.otf?raw=true&& \
fc-cache -f -v
RUN apt-get update&& apt-get install -y wget --no-install-recommends \
&& wget -q -O-https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add-\
&& sh -c’echo deb [arch = amd64] http://dl.google.com/linux/chrome/deb/ stable main>> /etc/apt/sources.list.d/google.list’\
&& apt-get update \
&& apt-get install -y google-chrome-unstable字体-ipafont-哥特字体-wqy-zenhei字体-泰国-tlwg字体-kacst ttf-freefont \
--no-install-recommends ds $ b $ && rm -rf / var / lib / apt / lists / * \
&& apt-get purge-自动删除-y curl \
&& rm -rf /src/*.deb
#清理
运行apt-get clean&& rm -rf / var / lib / apt / lists / * / tmp / * / var / tmp / *
#安装puppeteer,使其可在容器中使用。
RUN npm i puppeteer
#添加用户,因此我们不需要--no-sandbox。
RUN组添加-r pptruser&& useradd -r -g pptruser -G音频,视频pptruser \
&& mkdir -p / home / pptruser /下载\
&& chown -R pptruser:pptruser / home / pptruser \
&& chown -R pptruser:pptruser / node_modules
RUN cd $ application_directory
WORKDIR $ application_directory
#安装应用程序依赖项
COPY软件包。 json。
#捆绑应用程序源
COPY。 。
#生成
运行npm install
用户pptruser
#公开Web套接字和HTTP端口
EXPOSE 3000
ENTRYPOINT [ dumb-init,-]
CMD [ google-chrome-unstable, npm,开始]
问题
如何运行Docker并传递,
-无沙箱
param,这样它可以让我在根目录下运行吗?
或者,我需要在当前的Docker文件中进行哪些更改,以便让我以 USER pptruser
当前问题-
运行为
USER pptruser
无法移动到新的命名空间:支持PID命名空间,支持网络
命名空间,但失败:errno =不允许操作
运行为
root
不带--no-sandbox的root用户运行不受支持。 我在尝试在Alpine Docker容器中无头运行Chromium时遇到了类似的问题,显然还有很多其他问题(例如,此处,此处)。 下载此文件(如果感兴趣,请参阅作者的注释此处)。然后在启动Docker时传递选项 Background I built an application that uses Puppeteer on my localhost. Now that I am trying to deploy it into a debian environment the script that runs Puppeteer is timing out. After researching it I realized it is a common problem. Most debian environments are missing the dependencies needed to run Chromium. Problem I found some recommended ways to run the application using Docker here. I can run the application using Docker, but once I add the Chrome specific data to my Docker file I am getting a few errors. Failed to move to new namespace: PID namespaces supported, Network
namespace supported, but failed: errno = Operation not permitted It is suggested to run the app as a user made in the Docker file. But, when I add that user, the user gets the error mentioned above. Then when I try and run the application as root, I get a new error, Running as root without --no-sandbox is not supported. Although it is not recommended, I want to get the app running even with Example I have been running the application like this, Docker File Question How do I run Docker and pass the , param so it will let me run this in root? Or, what do I need to change in my current Docker file so it will let me run it as the Current Problems - Runnning as
Failed to move to new namespace: PID namespaces supported, Network
namespace supported, but failed: errno = Operation not permitted Running as
Running as root without --no-sandbox is not supported.
I was hitting a similar problem trying to run Chromium headless in an Alpine Docker container, and apparently so are many other (e.g., here, here). The Download this file (if interested, see the author's notes here). Then pass the option 这篇关于使用--no-sandbox运行无头Chrome /人偶游戏的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
-无沙箱
选项是一种简单的解决方法,但显然是一种较差的安全实践。对我有用的是设置自定义 seccomp
。
-security-opt seccomp = path / to / chrome.json
,或在 docker-中指定相同的选项- compose.yml
(如果您正在使用的话)。
--no-sandbox
to see if it works.docker run -p 3000:3000 user/app-name
FROM ubuntu:16.04
# Application parameters and variables
ENV NODE_ENV=production
ENV PORT=3000
ENV Root_Dir /
ENV application_directory /usr/src/app
ENV font_directory /usr/share/fonts/noto
# Configuration for Chrome
ENV CONNECTION_TIMEOUT=60000
ENV CHROME_PATH=/usr/bin/google-chrome
RUN mkdir -p $application_directory
RUN mkdir -p $font_directory
# Dependencies needed for packages downstream
RUN apt-get update && apt-get install -y \
apt-utils \
unzip \
fontconfig \
locales \
gconf-service \
libasound2 \
libatk1.0-0 \
libc6 \
libcairo2 \
libcups2 \
libdbus-1-3 \
libexpat1 \
libfontconfig1 \
libgcc1 \
libgconf-2-4 \
libgdk-pixbuf2.0-0 \
libglib2.0-0 \
libgtk-3-0 \
libnspr4 \
libpango-1.0-0 \
libpangocairo-1.0-0 \
libstdc++6 \
libx11-6 \
libx11-xcb1 \
libxcb1 \
libxcomposite1 \
libxcursor1 \
libxdamage1 \
libxext6 \
libxfixes3 \
libxi6 \
libxrandr2 \
libxrender1 \
libxss1 \
libxtst6 \
ca-certificates \
fonts-liberation \
libappindicator1 \
libnss3 \
lsb-release \
xdg-utils \
wget
# It's a good idea to use dumb-init to help prevent zombie chrome processes.
ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64 /usr/local/bin/dumb-init
RUN chmod +x /usr/local/bin/dumb-init
# Install Node.js
RUN apt-get install --yes curl &&\
curl --silent --location https://deb.nodesource.com/setup_8.x | bash - &&\
apt-get install --yes nodejs &&\
apt-get install --yes build-essential
# Install emoji's
RUN cd $font_directory &&\
wget https://github.com/emojione/emojione-assets/releases/download/3.1.2/emojione-android.ttf &&\
wget https://github.com/googlei18n/noto-cjk/blob/master/NotoSansCJKsc-Medium.otf?raw=true && \
fc-cache -f -v
RUN apt-get update && apt-get install -y wget --no-install-recommends \
&& wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \
&& sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \
&& apt-get update \
&& apt-get install -y google-chrome-unstable fonts-ipafont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-kacst ttf-freefont \
--no-install-recommends \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get purge --auto-remove -y curl \
&& rm -rf /src/*.deb
# Cleanup
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
# Install puppeteer so it's available in the container.
RUN npm i puppeteer
# Add user so we don't need --no-sandbox.
RUN groupadd -r pptruser && useradd -r -g pptruser -G audio,video pptruser \
&& mkdir -p /home/pptruser/Downloads \
&& chown -R pptruser:pptruser /home/pptruser \
&& chown -R pptruser:pptruser /node_modules
RUN cd $application_directory
WORKDIR $application_directory
# Install app dependencies
COPY package.json .
# Bundle app source
COPY . .
# Build
RUN npm install
USER pptruser
# Expose the web-socket and HTTP ports
EXPOSE 3000
ENTRYPOINT ["dumb-init", "--"]
CMD ["google-chrome-unstable", "npm", "start"]
--no-sandbox
USER pptruser
USER pptruser
root
--no-sandbox
option is a straightforward workaround but obviously a poor security practice. What worked for me was setting a custom seccomp
.--security-opt seccomp=path/to/chrome.json
when starting Docker, or specify the same option in your docker-compose.yml
if you're using one.