bug#44891: Chromium does not start

bug#44891: Chromium does not start

[Andrea Rossi via Bug reports for GNU Guix]

[-- Attachment #1.1: Type: text/plain, Size: 571 bytes --]

Hi,
after the installation of ungoogled-chromium I tried to run it,
receiving this message:

[20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)] No
usable sandbox! Update your kernel or see
https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux/suid_sandbox_development.md
for more information on developing with the SUID sandbox. If you want to
live dangerously and need an immediate workaround, you can try using
--no-sandbox.

Maybe I'm missing something, or is the case of a proper bug?

Regards,
-- 
Andrea






[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

bug#44891: Chromium does not start

[raingloom]

On Thu, 26 Nov 2020 16:53:29 +0100
Andrea Rossi via Bug reports for GNU Guix <bug-guix@gnu.org> wrote:

> Hi,
> after the installation of ungoogled-chromium I tried to run it,
> receiving this message:
> 
> [20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)]
> No usable sandbox! Update your kernel or see
> https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux/suid_sandbox_development.md
> for more information on developing with the SUID sandbox. If you want
> to live dangerously and need an immediate workaround, you can try
> using --no-sandbox.
> 
> Maybe I'm missing something, or is the case of a proper bug?
> 
> Regards,

Saw a similar issue on Arch recently, my guess is that the sandbox
binary (I don't remember its name or path) is missing the execute
permission bit.
Not sure how to fix that on Guix, since modifying a store item is
generally a big no-no. You could maybe write a quick and dirty package
that takes ungoogled-chromium as its only input, copies it (or just
creates symlinks?), and runs chmod +x on the sandbox binary.
That way you don't have to recompile the whole package.

bug#44891: Chromium does not start

[Giovanni Biscuolo]

[-- Attachment #1: Type: text/plain, Size: 1770 bytes --]

Ciao Andrea,

To the list: Andrea is a friend and a collegue, I'm helping him starting
using Guix as a package manager.

Andrea: next time when reporting bugs on Guix please mention you are
using it on a foreign distro (not as Guix System), in your case Debian.

Andrea Rossi via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

> after the installation of ungoogled-chromium I tried to run it,
> receiving this message:
>
> [20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)] No
> usable sandbox! Update your kernel or see
> https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux/suid_sandbox_development.md
> for more information on developing with the SUID sandbox. If you want to
> live dangerously and need an immediate workaround, you can try using
> --no-sandbox.
>
> Maybe I'm missing something, or is the case of a proper bug?

In Jan this year I had the same issue, reported in help-guix, on Debian
as foreign distro and Marius Bakke [1] helped me solve it:

1. sudo sysctl -w kernel.unprivileged_userns_clone=1
2. sudo su -c "echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf"

This is because (ungoogled-)chromium sandbox relies on user namespaces
support in the kernel but Debian [2] disables user namespaces by
default, the above commands enables them for your current boot session
and permanently for next reboots.

Andrea please try the above fixes and tell us if they solve your issue.

Ciao, Gio'


[1] https://lists.gnu.org/archive/html/help-guix/2020-01/msg00059.html

[2] Chromium on Debian uses an alternative sandboxing method that relies
on a setuid binary, Guix do not use this :-)

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]

bug#44891: Chromium does not start

[Giovanni Biscuolo]

[-- Attachment #1: Type: text/plain, Size: 1449 bytes --]

Hi raingloom,

raingloom <raingloom@riseup.net> writes:

> On Thu, 26 Nov 2020 16:53:29 +0100
> Andrea Rossi via Bug reports for GNU Guix <bug-guix@gnu.org> wrote:

[...]

>> [20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)]
>> No usable sandbox! Update your kernel or see
>> https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux/suid_sandbox_development.md
>> for more information on developing with the SUID sandbox. If you want
>> to live dangerously and need an immediate workaround, you can try
>> using --no-sandbox.

[...]

> Saw a similar issue on Arch recently, my guess is that the sandbox
> binary (I don't remember its name or path) is missing the execute
> permission bit.

As reported in my previous reply to Andrea, AFAIU (thanks Marius Bakke)
Chromium can use two methods to start the sandbox:

1. use the SUID binary
2. use user namespaces

AFAIU the second is better and anyway it's the method used by Guix
ungoogled-chromium

> Not sure how to fix that on Guix, since modifying a store item is
> generally a big no-no. You could maybe write a quick and dirty package
> that takes ungoogled-chromium as its only input, copies it (or just
> creates symlinks?), and runs chmod +x on the sandbox binary.
> That way you don't have to recompile the whole package.

Non need for all this :-D

Thanks, Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]

bug#44891: Chromium does not start

[Andrea Rossi via Bug reports for GNU Guix]

On 27/11/20 09:32, Giovanni Biscuolo wrote:
> [...]
> 1. sudo sysctl -w kernel.unprivileged_userns_clone=1
> 2. sudo su -c "echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf"
> 

It works!

Thanks,
Andrea

bug#44891: Chromium does not start

[Giovanni Biscuolo]

[-- Attachment #1: Type: text/plain, Size: 398 bytes --]

Andrea Rossi via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

> On 27/11/20 09:32, Giovanni Biscuolo wrote:
>> [...]
>> 1. sudo sysctl -w kernel.unprivileged_userns_clone=1
>> 2. sudo su -c "echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf" 
>
> It works!

Fine! Closing this bug.

Ciao, Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]