☸️ Can not run in Kubernetes?

[hardy4yooz]

Describe the bug
Can this image run in Kubernetes? I got this error.

[0730/093334.582068:WARNING:dns_config_service_posix.cc(341)] Failed to read DnsConfig.
DevTools listening on ws://0.0.0.0:9222/devtools/browser/ffc8216e-74e1-4005-a9c6-5fae589bb301
[0730/093334.599757:ERROR:zygote_host_impl_linux.cc(262)] Failed to adjust OOM score of renderer with pid 26: Permission denied (13)
[0730/093334.608738:ERROR:zygote_host_impl_linux.cc(262)] Failed to adjust OOM score of renderer with pid 28: Permission denied (13)
[0730/093334.807594:WARNING:dns_config_service_posix.cc(341)] Failed to read DnsConfig.

[jlandure]

Hi @hardy4yooz

Thanks for your issue! 👍
Sorry for the delay. 😊

I think you have a problem using the sandbox mechanism of Chromium. Please read this section of the README.
What method did you use? --no-sandbox or SYS_ADMIN or seccomp?

In this chromium page, they indicate to test it -- You can give CAP_DAC_OVERRIDE to your process 🐛

I have to create an example using Kubernetes.
If you're interested, you can help to create it in the example folder. 🚀

[simonfrey]

Have the same problem. Running alpine-chrome in k8s fails. Executing my puppeteer script against the headless chrome I always get following error:

[0922/162631.212208:ERROR:zygote_host_impl_linux.cc(262)] Failed to adjust OOM score of renderer with pid 67: Permission denied (13)

I choose to go with SYS_ADMIN caps and the default entry point:

...
  containers:
      - args:
        - --remote-debugging-address=0.0.0.0
        - --remote-debugging-port=9222
        image: zenika/alpine-chrome
        name: zenika-alpine-chrome
        resources:
          limits:
            cpu: 4
            memory: 8Gi
          requests:
            cpu: 1
            memory: 1Gi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - SYS_ADMIN
            drop:
            - SETPCAP
            - MKNOD
            - AUDIT_WRITE
            - CHOWN
            - NET_RAW
            - DAC_OVERRIDE
            - FOWNER
            - FSETID
            - KILL
            - SETGID
            - SETUID
            - NET_BIND_SERVICE
            - SYS_CHROOT
            - SETFCAP
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /tmp
          name: tmp
        - mountPath: /home/chrome
          name: chrome
...

The volume mounts are temporary volumes

Already tried following and that did not help:

• add DAC_OVERRIDE to the CAP add section
• run with --no-sandbox
• run with custom args dropping the --disable-software-rasterizer arg

Running zenika/alpine-chrome locally via docker and with seccomp it works:

docker container run -it --rm -d -p 9222:9222 --security-opt seccomp=$(pwd)/chrome_secomp.json zenika/alpine-chrome --remote-debugging-address=0.0.0.0 --remote-debugging-port=9222

[simonfrey]

The following issue might be a fix for this? #8

[jlandure]

Hi @simonfrey 👋

First, thanks for your time! 👍

I don't know if it could work! I will take some time to investigate it.

Can you share your K8S example in a PR in the examples folder? If you wait for October, your PR will count for hacktoberfest 🎉

Like I said, have you tested this?

In this chromium page, they indicate to test it -- You can give CAP_DAC_OVERRIDE to your process 🐛

[simonfrey]

As mentioned in my original answer: I tried the CAP_DAV_OVERIDE and the same error still occurs 😄

[jlandure]

Hi @simonfrey

Ok! thanks for the reply 😊

[simonfrey]

Can you share your K8S example in a PR in the examples folder? If you wait for October, your PR will count for hacktoberfest tada

I will build an example :D Would you be so kind and add the hacktoberfest label so it counts into it :D

[jlandure]

Hey @simonfrey 👋

Yes, I added the label. 👍

[CyberHippo]

Hi all,

Thank you for your great work on this image and the example for k8s!

I tried to run your example and I still got the following logs:

[1104/165305.104292:ERROR:bus.cc(393)] Failed to connect to the bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
[1104/165305.105255:WARNING:dns_config_service_posix.cc(342)] Failed to read DnsConfig.

DevTools listening on ws://0.0.0.0:9222/devtools/browser/f329a418-3587-4c65-b945-10e988b38f7f
[1104/165305.171139:ERROR:zygote_host_impl_linux.cc(263)] Failed to adjust OOM score of renderer with pid 24: Permission denied (13)
[1104/165305.270101:ERROR:zygote_host_impl_linux.cc(263)] Failed to adjust OOM score of renderer with pid 31: Permission denied (13)
[1104/165305.583951:WARNING:dns_config_service_posix.cc(342)] Failed to read DnsConfig.

Is there a way to suppress them ?

Note that the pod is running fine and I can use the service without error.

[stanislav-zaprudskiy]

Same here. Pod specs are:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  ...
spec:
  ...
  template:
    ...
    spec:
      containers:
      ...
      - args:
        - --remote-debugging-port=9222
        - --remote-debugging-address=0.0.0.0
        - --headless
        - --disable-gpu
        image: zenika/alpine-chrome:83
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /json/version
            port: 9222
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: chrome
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /json/version
            port: 9222
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - SYS_ADMIN
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 1000
        volumeMounts:
        - mountPath: /tmp
          name: tmp
        - mountPath: /home/chrome
          name: chrome
      ...
      volumes:
      - emptyDir: {}
        name: tmp
      - emptyDir: {}
        name: chrome

Logs are:

1120/070843.509846:WARNING:dns_config_service_posix.cc(341)] Failed to read DnsConfig.
[1120/070843.544823:ERROR:zygote_host_impl_linux.cc(262)] Failed to adjust OOM score of renderer with pid 27: Permission denied (13)

DevTools listening on ws://0.0.0.0:9222/devtools/browser/dde29cea-4f5e-44ef-a256-7968f81a8620
[1120/070843.677471:ERROR:zygote_host_impl_linux.cc(262)] Failed to adjust OOM score of renderer with pid 38: Permission denied (13)
[1120/070843.722710:WARNING:dns_config_service_posix.cc(341)] Failed to read DnsConfig.

I also tried setting --no-sandbox arg instead of configuring volumes and securityContext but without any luck.

Kubernetes version is 1.14, and I tried both zenika/alpine-chrome:83 and zenika/alpine-chrome:86.

@simonfrey, can you please explain on securityContext's allowPrivilegeEscalation: false together with adding CAP_SYS_ADMIN? From what I see in the documentation, these two are competing with each other:

• https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/no-new-privs.md#changes-of-securitycontext-objects
• https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

[hardy4yooz]

I used another project instead.

[jlandure]

Hi @stanislav-zaprudskiy @hardy4yooz @CyberHippo 👋

Did you succeed with K8S? 🚀

@hardy4yooz Cool! What's the project? Perhaps we could add some help from them to resolve this problem... 👍

[stanislav-zaprudskiy]

@jlandure, in our case the desired functionality of printing pages into PDF using Chrome works - nevertheless the error logs mentioned are still reported.

[jlandure]

Hi @stanislav-zaprudskiy 👋

Thanks for the update. 👍

Perhaps it is the same problem as described here in the Puppeteer project? 🤔

[clearcodecn]

@hardy4yooz can you please share what project are you using?
I face the issue too and no way to solve this.

[saarangtiwari]

@jlandure
Hi, I am facing this issue as well. Is there any update/solution to this.
Thank you!

[ilyesAj]

Hello, is it possible to provide a clear solution for this ? i m facing the same issue

[mangalamg]

Is there any solution here? I'm still facing this issue

[h0jeZvgoxFepBQ2C]

I have the same issue?

[frederikhors]

Any news?

[h0jeZvgoxFepBQ2C]

/reopen

[FrederikStenbergPedersen]

Also still experiencing this issue

[JackHull]

/reopen - This is still happening.

[Venoox]

still not working

[thempatel]

same

[astrolemonade]

still happening

[diazoxide]

same problem

[diazoxide]

/reopen

[fllprbt]

does not affect our tests' execution but keeps appearing v10.11.0

[Lasidar]

FYI for anyone experiencing issue, I suspect this may be related to a chrome renderer crash issue which has been occurring for us (i.e. "We detected that the Chromium Renderer process just crashed.").

[eranshahar]

same here
got: ERROR:zygote_host_impl_linux.cc(273)] Failed to adjust OOM score of renderer with pid 2172: Permission denied
every time running cypress test through typescript code as a pod in k8s
how to resolve?

[WiiGe]

found "--disable-software-rasterizer" can fix the ERROR:sandbox_linux.cc(374)] InitializeSandbox() called with multiple threads in process gpu-process.
but still on ERROR:zygote_host_impl_linux.cc(273) Failed to adjust OOM score of renderer with pid 23: Permission denied (13)

please fix

[mr-feek]

I've seemingly been able to resolve this via these args: chromium-browser --headless --disable-gpu --no-sandbox --remote-debugging-address=0.0.0.0 --remote-debugging-port=9222 --no-zygote --disable-software-rasterizer --disable-dev-shm-usage