ungoogled-chromium aborts on foreign distro via LTSP (Linux Terminal Server Project)

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

* ungoogled-chromium aborts on foreign distro via LTSP (Linux Terminal Server Project)
@ 2020-01-10 11:22 Giovanni Biscuolo
  2020-01-11 23:27 ` Marius Bakke
  0 siblings, 1 reply; 4+ messages in thread
From: Giovanni Biscuolo @ 2020-01-10 11:22 UTC (permalink / raw)
  To: help-guix

[-- Attachment #1: Type: text/plain, Size: 2118 bytes --]

Hi Guix,

first and foremost kudos Marius Bakke for the great work in maintaining
this package!

if I run the last ungoogled-chromium Guix version in my terminal session
[1] on a Debian 10 server, I get SIGABRT:

--8<---------------cut here---------------start------------->8---
[14913:14913:0110/113833.689067:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
#0 0x561fb4b09f09 base::debug::CollectStackTrace()

Received signal 6
#0 0x561fb4b09f09 base::debug::CollectStackTrace()
  r8: 0000000000000000  r9: 00007ffc91ca6500 r10: 0000000000000008 r11: 0000000000000246
 r12: 00007ffc91ca7750 r13: 0000000000000170 r14: 00007ffc91ca7910 r15: 00007ffc91ca6780
  di: 0000000000000002  si: 00007ffc91ca6500  bp: 00007ffc91ca6740  bx: 0000000000000006
  dx: 0000000000000000  ax: 0000000000000000  cx: 00007fee29c227fa  sp: 00007ffc91ca6578
  ip: 00007fee29c227fa efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.
--8<---------------cut here---------------end--------------->8---

If I run ungoogled-chromium with --no-sandbox it works, but I'd like not
to browse with the sandbox off (I'm going to study how to run my
browsers in a guix container, but it't not the solution AFAIU)

The same updated version of ungoogled-chromium from Guix on a Debian 10
laptop does not have this problem, so it's specific to the LTSP
environment I guess

The chromium binary from Debian 10 on the same LTSP environment does not
have the same problem, it works

Any suggestion on where to look for problems here, please?

Thanks! Gio'


[1] I have a couple LTSP terminals connected to a LTSP server

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ungoogled-chromium aborts on foreign distro via LTSP (Linux Terminal Server Project)
  2020-01-10 11:22 ungoogled-chromium aborts on foreign distro via LTSP (Linux Terminal Server Project) Giovanni Biscuolo
@ 2020-01-11 23:27 ` Marius Bakke
  2020-01-13 16:32   ` Giovanni Biscuolo
  0 siblings, 1 reply; 4+ messages in thread
From: Marius Bakke @ 2020-01-11 23:27 UTC (permalink / raw)
  To: Giovanni Biscuolo, help-guix

[-- Attachment #1: Type: text/plain, Size: 2209 bytes --]

Giovanni Biscuolo <g@xelera.eu> writes:

> if I run the last ungoogled-chromium Guix version in my terminal session
> [1] on a Debian 10 server, I get SIGABRT:
>
> --8<---------------cut here---------------start------------->8---
> [14913:14913:0110/113833.689067:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
> #0 0x561fb4b09f09 base::debug::CollectStackTrace()
>
> Received signal 6
> #0 0x561fb4b09f09 base::debug::CollectStackTrace()
>   r8: 0000000000000000  r9: 00007ffc91ca6500 r10: 0000000000000008 r11: 0000000000000246
>  r12: 00007ffc91ca7750 r13: 0000000000000170 r14: 00007ffc91ca7910 r15: 00007ffc91ca6780
>   di: 0000000000000002  si: 00007ffc91ca6500  bp: 00007ffc91ca6740  bx: 0000000000000006
>   dx: 0000000000000000  ax: 0000000000000000  cx: 00007fee29c227fa  sp: 00007ffc91ca6578
>   ip: 00007fee29c227fa efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
>  trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
> [end of stack trace]
> Calling _exit(1). Core file will not be generated.
> --8<---------------cut here---------------end--------------->8---
>
> If I run ungoogled-chromium with --no-sandbox it works, but I'd like not
> to browse with the sandbox off (I'm going to study how to run my
> browsers in a guix container, but it't not the solution AFAIU)
>
> The same updated version of ungoogled-chromium from Guix on a Debian 10
> laptop does not have this problem, so it's specific to the LTSP
> environment I guess
>
> The chromium binary from Debian 10 on the same LTSP environment does not
> have the same problem, it works
>
> Any suggestion on where to look for problems here, please?

The (ungoogled-) Chromium sandbox relies on user namespaces support in
the kernel.  I guess `guix environment -C` does not work either?

Debian disables user namespaces by default, try this command to enable
it:

 sudo sysctl -w kernel.unprivileged_userns_clone=1

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ungoogled-chromium aborts on foreign distro via LTSP (Linux Terminal Server Project)
  2020-01-11 23:27 ` Marius Bakke
@ 2020-01-13 16:32   ` Giovanni Biscuolo
  2020-01-13 21:44     ` Marius Bakke
  0 siblings, 1 reply; 4+ messages in thread
From: Giovanni Biscuolo @ 2020-01-13 16:32 UTC (permalink / raw)
  To: Marius Bakke, help-guix

[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]

Hello Marius,

Thanks! the issue was related to lack of user namaspaces

Marius Bakke <mbakke@fastmail.com> writes:

> Giovanni Biscuolo <g@xelera.eu> writes:

[...]

>> The same updated version of ungoogled-chromium from Guix on a Debian 10
>> laptop does not have this problem, so it's specific to the LTSP
>> environment I guess

no: my laptop had user namespaces enabled :-)

>> The chromium binary from Debian 10 on the same LTSP environment does not
>> have the same problem, it works

so the Debian binary is working without user namespaces?

>> Any suggestion on where to look for problems here, please?
>
> The (ungoogled-) Chromium sandbox relies on user namespaces support in
> the kernel.  I guess `guix environment -C` does not work either?

no, "guix environment -C" was not working and *still* does not
work... but I'm almost sure it depends on something else, more on this
in another thread

> Debian disables user namespaces by default, try this command to enable
> it:
>
>  sudo sysctl -w kernel.unprivileged_userns_clone=1

it worked, I made it persistent also [1]

Thanks again! Gio'



[1] sudo su -c "echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf"

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ungoogled-chromium aborts on foreign distro via LTSP (Linux Terminal Server Project)
  2020-01-13 16:32   ` Giovanni Biscuolo
@ 2020-01-13 21:44     ` Marius Bakke
  0 siblings, 0 replies; 4+ messages in thread
From: Marius Bakke @ 2020-01-13 21:44 UTC (permalink / raw)
  To: Giovanni Biscuolo, help-guix

[-- Attachment #1: Type: text/plain, Size: 314 bytes --]

Giovanni Biscuolo <g@xelera.eu> writes:

>>> The chromium binary from Debian 10 on the same LTSP environment does not
>>> have the same problem, it works
>
> so the Debian binary is working without user namespaces?

Chromium has another sandboxing method that relies on a setuid binary,
which is what Debian uses.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-01-13 21:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-10 11:22 ungoogled-chromium aborts on foreign distro via LTSP (Linux Terminal Server Project) Giovanni Biscuolo
2020-01-11 23:27 ` Marius Bakke
2020-01-13 16:32   ` Giovanni Biscuolo
2020-01-13 21:44     ` Marius Bakke

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.