How to properly use sandbox with puppeteer on linux and stop getting insecure?

Question

I read docs :

https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md

https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md

https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox.md

https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md

https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandbox_ipc.md

But can't figure out the way to have a properly configured sandbox, and no way to find the script update-linux-sandbox.sh on my system.

I've found it here

but I get :

$ ./update-linux-sandbox.sh
/tmp/../out/Debug does not exist. Use "BUILDTYPE=Release ./update-linux-sandbox.sh" If you are building in Release mode
$ BUILDTYPE=Release ./update-linux-sandbox.sh
/tmp/../out/Release does not exist. Use "BUILDTYPE=Release ./update-linux-sandbox.sh" If you are building in Release mode

The only insecure workaround I have is to use :

const browser = await puppeteer.launch(
    {headless: true, args: ['--no-sandbox', '--disable-setuid-sandbox']}
);

Any idea to do the things properly ?

Answer 1

If you're here looking for a way to run Puppeteer in Centos7 without the --no-sandbox arg then the @MevatlaveKraspek answer won't work

I managed to get Puppeteer taking screenshots without the --no-sandbox flag arg by setting a Linux kernel parameter to enable namespacing (on CentOS Linux release 7.4.1708).

As root user run: echo "user.max_user_namespaces=15000" >> /etc/sysctl.conf
Check it worked with: sudo sysctl -a | grep user.max_user_namespaces

Now reboot your system and run a script without using --no-sandbox e.g const browser = await puppeteer.launch();

If it still doesn't work you might be using an older Linux Kernel and will require a couple of extra args set in the Kernel.

As root user run:
grubby --args="user_namespace.enable=1 namespace.unpriv_enable=1" --update-kernel="$(grubby --default-kernel)"

Now reboot your system and check the Kernel command line for the 2 params you just added
cat /proc/cmdline

If they are in the command line run a script without using --no-sandbox again e.g const browser = await puppeteer.launch();

It should work now. If it doesn't you might be using an old kernel which doesn't support namespacing.

You can check your kernel version with: uname -a This is my kernel version which I've got Puppeteer running without --no-sandbox arg. Linux centos7 3.10.0-693.21.1.el7.x86_64

Hope this helps :)