chromium in unbuntu latest is not installed from snap and therefore it's not possible to run it

[gusega]

Description

Hi azure team,

In azure devops pipelines on ubuntu: 24.04.2 image version: 20250420.1.0

chromium is not installed from snap and therefore it's not possible to start it.

Way to reproduce:

bash: |
  chromium

see more details here: https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md

Workaround

bash: |
  sudo snap install chromium

google-chrome works fine.

Thanks

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 22.04
• Ubuntu 24.04
• macOS 13
• macOS 13 Arm64
• macOS 14
• macOS 14 Arm64
• macOS 15
• macOS 15 Arm64
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025

Image version and build link

20250420.1.0

Is it regression?

no

Expected behavior

chromium works

Actual behavior

it does not

[2007:2007:0425/163136.680338:FATAL:zygote_host_impl_linux.cc(132)] No usable sandbox! If you are running on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor, see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md. Otherwise see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the (older) SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
#0 0x55c9861580d2 base::debug::CollectStackTrace()
#1 0x55c98614526e base::debug::StackTrace::StackTrace()
#2 0x55c98609839a logging::LogMessage::Flush()
#3 0x55c986098e99 logging::LogMessageFatal::~LogMessageFatal()
#4 0x55c98412fd6e content::ZygoteHostImpl::Init()
#5 0x55c9853c006c content::ContentMainRunnerImpl::Initialize()
#6 0x55c9853bdf7c content::RunContentProcess()
#7 0x55c9853be357 content::ContentMain()
#8 0x55c980da6385 ChromeMain
#9 0x7f0047a2a1ca (/usr/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#10 0x7f0047a2a28b __libc_start_main
#11 0x55c980da602a _start

Repro steps

azure devops pipeline with:

bash: |
  chromium

[kishorekumar-anchala]

Hi @gusega , Thank you for bringing this issue to our attention. We will look into this issue and will update you after investigating

[ChinHairSaintClair]

We're encountering this issue when running Chrome in headless mode via Karma on the Ubuntu 22.04 runner image.

A couple of workarounds are documented in Chrome's AppArmor userns restrictions guide. One of them involves falling back to the setuid sandbox helper (chrome-sandbox), if it's available and properly configured.

However, this binary doesn't appear to be present or configured in the current runner image. As far as I understand, since these runners likely don't allow modifying AppArmor profiles or kernel settings, we're unable to install and set the required permissions ourselves.

Would it be possible to include the setuid sandbox helper as part of the image, so headless Chrome can run securely without relying on --no-sandbox in environments where user namespaces are restricted?

I'm still learning about these system-level constraints and CI internals, so please let me know if I've misunderstood anything or if additional logs would be helpful.

[ChinHairSaintClair]

@kishorekumar-anchala I managed to get our tests running again, though the solution feels a bit hacky.

Confirm the OS version

lsb_release -a

Distributor ID: Ubuntu
Description: Ubuntu 24.04.2 LTS
Release: 24.04
Codename: noble

Locate Chromium

which chromium

/usr/bin/chromium

This was a bit surprising because Chrome's AppArmor docs indicates that Ubuntu's Chromium is packaged as a snap:

Ubuntu's packaged version of Chromium is a snap package, and snap generates an AppArmor profile at runtime that allows usage of user namespaces.

Inspect path

The binary at that path turned out to be a symlink:

ls -l /usr/bin/chromium

lrwxrwxrwx 1 root root 45 Apr 20 21:24 /usr/bin/chromium -> /usr/local/share/chromium/chrome-linux/chrome

Verify presence of the Sandbox

ls -l /usr/local/share/chromium/chrome-linux/

-rwxr-xr-x 1 root root 351856 Mar 3 19:21 chrome_sandbox

Fix

Following Chromium's suid sandbox documentation and this Ask Ubuntu thread, we did the following:

# Rename the sandbox file
sudo mv /usr/local/share/chromium/chrome-linux/chrome_sandbox /usr/local/share/chromium/chrome-linux/chrome-sandbox

# We have     "-rwxr-xr-x"
# But we need "-rwsr-xr-x"
# Adjust permissions (note the 's' in place of the 'x'). 
sudo chmod 4755 /usr/local/share/chromium/chrome-linux/chrome-sandbox

# Confirm
ls -l /usr/local/share/chromium/chrome-linux/chrome-sandbox

-rwsr-xr-x 1 root root 351856 Mar 3 19:21 chrome-sandbox

I hope this helps shed some light on how to address the issue.

[hemanthmanga]

Hi @gusega, @ChinHairSaintClair, Thank you for your insights. The issue is currently under investigation, and we will provide an update shortly.

[hemanthmanga]

Hi @gusega, @ChinHairSaintClair, We have installed Chromium successfully using Snap, and it is running the latest version. The new image build has been released. Please try using the latest image build and confirm. Thank you.

[ChinHairSaintClair]

Hi @hemanthmanga, we are using latest but I've been unable to get the installed snap packages:

No snaps are installed yet. Try 'snap install hello-world'.

Would you be able to link me to the release so that I can target that version specifically?

I'm still getting the following when trying to get the chrome install:

Detected Chromium binary at: /usr/bin/chromium
Binary is a symlink. Resolved to: /usr/local/share/chromium/chrome-linux/chrome

Setup info:

Current agent version: '4.255.0'

Operating System:
Ubuntu
24.04.2
LTS
Runner Image
Image: ubuntu-24.04
Version: 20250427.1.0
LTS

Runner Image
Image: ubuntu-24.04
Version: 20250427.1.0

Runner Image Provisioner
2.0.422.1

[hemanthmanga]

Hi @ChinHairSaintClair, Thank you for the details, you are running the latest image version, no need to target a specific one.

I'm still getting the following when trying to get the chrome install:

Detected Chromium binary at: /usr/bin/chromium
Binary is a symlink. Resolved to: /usr/local/share/chromium/chrome-linux/chrome

the /usr/bin/chromium does not point to a Snap version, which may not function properly due to sandboxing and AppArmor restrictions in Ubuntu 24.04.FYI

To fix this, please add the following commands to your pipeline before using Chromium.

sudo apt update  
sudo apt install snapd  
sudo snap install chromium

This will install the Snap version of Chromium, which is supported by Ubuntu 24.04 security model. Please confirm once the issue is resolved. Thank you.

[ChinHairSaintClair]

Hi @hemanthmanga,
Thanks for the update. I was a bit confused by the earlier guidance, which seemed to imply that the Snap-installed Chromium was already included in the latest image and ready to use:

We have installed Chromium successfully using Snap, and it is running the latest version. The new image build has been released. Please try using the latest image build and confirm.

If the expectation is that we handle the "Unprivileged user namespace" issue ourselves - either via the workaround I mentioned earlier (which Google suggests is the "safest"), or by installing Chromium via Snap - that’s totally fine. I’d just like to understand why that’s the intended approach.

If Snap is the recommended method, we’d likely need to remove the pre-installed (non-Snap) Chromium to avoid version conflicts or runtime ambiguity. That raises the question: why does the image include a non-Snap Chromium at all, if the Snap version is needed for user namespace compatibility? There also appears to be a Chrome AppArmor profile present on the image.

Given that AppArmor is a key part of newer Ubuntu versions and Snap apps benefit from its profiles (like for /chrome), I’m just trying to understand the rationale behind the current setup.

[hemanthmanga]

Hi @ChinHairSaintClair,

Hi @hemanthmanga, Thanks for the update. I was a bit confused by the earlier guidance, which seemed to imply that the Snap-installed Chromium was already included in the latest image and ready to use:

We have installed Chromium successfully using Snap, and it is running the latest version. The new image build has been released. Please try using the latest image build and confirm.

In the previous guidance, I mentioned that Chromium is installed via Snap using this workflow, We have not included Snap as the method for installing Chromium and other dependencies in the images.

If the expectation is that we handle the "Unprivileged user namespace" issue ourselves - either via the workaround I mentioned earlier (which Google suggests is the "safest"), or by installing Chromium via Snap - that’s totally fine. I’d just like to understand why that’s the intended approach.

If Snap is the recommended method, we’d likely need to remove the pre-installed (non-Snap) Chromium to avoid version conflicts or runtime ambiguity. That raises the question: why does the image include a non-Snap Chromium at all, if the Snap version is needed for user namespace compatibility? There also appears to be a Chrome AppArmor profile present on the image.

Given that AppArmor is a key part of newer Ubuntu versions and Snap apps benefit from its profiles (like for /chrome), I’m just trying to understand the rationale behind the current setup.

Since chromium is directly downloaded and extracted from upstream sources and provided as a non-Snap version, which CI/CD images have used to ensure consistent and reliable test environments. However, with Ubuntu 24.04 introducing stricter AppArmor rules, the Snap version of Chromium is now recommended, as it includes the necessary permissions. To support this, the image includes a Chrome AppArmor profile that enables secure execution and user namespace access for both Snap and standalone installations. Thank you.

[hemanthmanga]

Hi @gusega, Since we haven't received any response, we believe the issue has been resolved. We will now close the issue. Thank you.

[gusega]

Hi @hemanthmanga ,

I removed

bash: |
  sudo snap install chromium

step from my pipeline and it fails as before with chrome failed to start.

Could you please reopen the issue?

The image version is 20250504.1.0.

[hemanthmanga]

Hi @gusega, Please review #12096 (comment) to resolve this issue. Thank you.

[gusega]

@hemanthmanga this is a workaround. Chromium from the image must just work.

[ChinHairSaintClair]

Hi @hemanthmanga
@gusega's statement around "Chromium from the image must just work" seems justified by the statement that "the image includes a Chrome AppArmor profile that enables secure execution and user namespace access for both Snap and standalone installations". If that is the case, we wouldn't be experiencing the sandbox issue described in this thread.

While both the workarounds discussed here do get us unblocked, they are still just that - workarounds.

Given the presence of the AppArmor profile, it seems the intent was to continue Chromium's operation as in previous image versions - but that's not the case.

That suggests there may be something on the image that still needs to be addressed to allow for normal operation.

Unless I'm missing something?

[hemanthmanga]

Hi @gusega,The new image has been rolled out, Could you please try again.Thanks.

[gusega]

Hi @hemanthmanga,

pipeline initialization logs:

Current agent version: '4.255.0'

Operating System
Ubuntu
24.04.2
LTS

Runner Image
Image: ubuntu-24.04
Version: 20250511.1.0
Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20250511.1/images/ubuntu/Ubuntu2404-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20250511.1

Runner Image Provisioner
2.0.422.1

Current image version: '20250511.1.0'

The pipeline:

steps:
  - bash: |
      ls -la "$(which "headless_shell")"
      ls -la "$(which "headless-shell")"
      ls -la "$(which "chromium")"
      ls -la "$(which "chromium-browser")"
      ls -la "$(which "google-chrome")"
      ls -la "$(which "google-chrome-stable")"
      ls -la "$(which "google-chrome-beta")"
      ls -la "$(which "google-chrome-unstable")"
      ls -la "$(which "/usr/bin/google-chrome")"
      ls -la "$(which "/usr/local/bin/chrome")"
      ls -la "$(which "/snap/bin/chromium")"
      ls -la "$(which "chrome")"
    continueOnError: true
  - bash: |
      chromium

output:

Starting: Bash
==============================================================================
Task         : Bash
Description  : Run a Bash script on macOS, Linux, or Windows
Version      : 3.250.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/bash
==============================================================================
Generating script.
========================== Starting Command Output ===========================
/usr/bin/bash /home/vsts/work/_temp/17f5a9cf-ad51-4e2c-b510-d45082fb3227.sh
ls: cannot access '': No such file or directory
ls: cannot access '': No such file or directory
lrwxrwxrwx 1 root root 45 May 11 21:25 /usr/bin/chromium -> /usr/local/share/chromium/chrome-linux/chrome
lrwxrwxrwx 1 root root 45 May 11 21:25 /usr/bin/chromium-browser -> /usr/local/share/chromium/chrome-linux/chrome
lrwxrwxrwx 1 root root 31 May  6 00:12 /usr/bin/google-chrome -> /etc/alternatives/google-chrome
lrwxrwxrwx 1 root root 32 May  6 00:12 /usr/bin/google-chrome-stable -> /opt/google/chrome/google-chrome
ls: cannot access '': No such file or directory
ls: cannot access '': No such file or directory
lrwxrwxrwx 1 root root 31 May  6 00:12 /usr/bin/google-chrome -> /etc/alternatives/google-chrome
ls: cannot access '': No such file or directory
ls: cannot access '': No such file or directory
ls: cannot access '': No such file or directory

##[error]Bash exited with code '2'.
Finishing: Bash



Starting: Bash
==============================================================================
Task         : Bash
Description  : Run a Bash script on macOS, Linux, or Windows
Version      : 3.250.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/bash
==============================================================================
Generating script.
Script contents:
chromium
========================== Starting Command Output ===========================
/usr/bin/bash /home/vsts/work/_temp/d22158d8-587b-4fe8-9498-828602ca99ae.sh
[1937:1937:0516/091320.111657:FATAL:content/browser/zygote_host/zygote_host_impl_linux.cc:132] No usable sandbox! If you are running on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor, see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md. Otherwise see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the (older) SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
#0 0x560365dde362 base::debug::CollectStackTrace()
#1 0x560365dcb39e base::debug::StackTrace::StackTrace()
#2 0x560365d18faa logging::LogMessage::Flush()
#3 0x560365d19ab9 logging::LogMessageFatal::~LogMessageFatal()
#4 0x560363d1e7de content::ZygoteHostImpl::Init()
#5 0x560364fff4dc content::ContentMainRunnerImpl::Initialize()
#6 0x560364ffd305 content::RunContentProcess()
#7 0x560364ffd667 content::ContentMain()
#8 0x56036092e385 ChromeMain
#9 0x7f156122a1ca (/usr/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#10 0x7f156122a28b __libc_start_main
#11 0x56036092e02a _start
Crash keys:
  "num-switches" = "0"
  "osarch" = "x86_64"
  "pid" = "1937"
  "ptype" = "browser"

[0516/091322.499617:ERROR:third_party/crashpad/crashpad/util/file/file_io_posix.cc:145] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq: No such file or directory (2)
[0516/091322.499690:ERROR:third_party/crashpad/crashpad/util/file/file_io_posix.cc:145] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq: No such file or directory (2)
Received signal 6
#0 0x560365dde362 base::debug::CollectStackTrace()
#1 0x560365dcb39e base::debug::StackTrace::StackTrace()
#2 0x560365ddddd8 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7f1561245330 (/usr/lib/x86_64-linux-gnu/libc.so.6+0x4532f)
#4 0x7f156129eb2c pthread_kill
#5 0x7f156124527e gsignal
#6 0x7f15612288ff abort
#7 0x560365d199c5 logging::LogMessage::HandleFatal()
#8 0x560365d19544 logging::LogMessage::Flush()
#9 0x560365d19ab9 logging::LogMessageFatal::~LogMessageFatal()
#10 0x560363d1e7de content::ZygoteHostImpl::Init()
#11 0x560364fff4dc content::ContentMainRunnerImpl::Initialize()
#12 0x560364ffd305 content::RunContentProcess()
#13 0x560364ffd667 content::ContentMain()
#14 0x56036092e385 ChromeMain
#15 0x7f156122a1ca (/usr/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#16 0x7f156122a28b __libc_start_main
#17 0x56036092e02a _start
  r8: 0000000000000000  r9: 0000000000000000 r10: 0000000000000008 r11: 0000000000000246
 r12: 0000000000000006 r13: 0000000000000503 r14: 0000000000000016 r15: 00007fff08e162e0
  di: 0000000000000791  si: 0000000000000791  bp: 00007fff08e14d10  bx: 0000000000000791
  dx: 0000000000000006  ax: 0000000000000000  cx: 00007f156129eb2c  sp: 00007fff08e14cd0
  ip: 00007f156129eb2c efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
/home/vsts/work/_temp/d22158d8-587b-4fe8-9498-828602ca99ae.sh: line 1:  1937 Aborted                 (core dumped) chromium

##[error]Bash exited with code '134'.
Finishing: Bash

[hemanthmanga]

Hi @gusega, As mentioned earlier, Chromium fails in Azure DevOps on the ubuntu-24.04 image due to sandbox/security settings. Installing Chromium via Snap resolves the issue, or you can use Chrome. Alternatively, using the ubuntu-22.04 image also works. However, due to our maintenance and support policies, we will not be making any changes at this time. Thank you for your understanding.

[gusega]

@hemanthmanga no worries, workaround installing with snap work fine. Just need to not forget to remove it after it's fixed :)