Function apps with headless chrome works in consumption plan but not in premium plan #852
Description
We can't run headless Chrome in a function app hosted in a premium plan, but it works in consumption plan.
We have two function apps running on an elastic premium plan (EP1:1). One is using dotnet and Puppeteer Sharp library, and the other one Python and Pyppeteer library. Both are located in West Europe.
- C# dotnet function app
Throw the following error:
2021-05-19T07:26:42.342176771Z Executed (Failed, Id=5687ac18-143f-4faf-a4e7-160b567a9a0c, Duration=103ms)
2021-05-19T07:26:42.342947961Z ---> PuppeteerSharp.ProcessException: Failed to launch Base! [0519/072642.021600:ERROR:zygote_host_impl_linux.cc(89)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.
- Python function app
Throws the following error:
2021-05-19T07:16:10.624 [Error] Executed (Failed, Id=9f65d621-67bd-4529-a877-059ebb87f1b9, Duration=30046ms)Result: FailureException: BrowserError: Browser closed unexpectedly
We learned that the base images were not updated with the right dependencies for launching headless Chrome and tried to change the property linusFxVersion in the function apps to these base images, which are supposed to have the dependencies needed, using az CLI:
- Dotnet: mcr.microsoft.com/azure-functions/python:3.7
- Python: mcr.microsoft.com/azure-functions/python:3.0-python3.7
We are still getting the same error as shown above.
We also tried running the dotnet function app as a custom container and adding the dependencies manually there but still got issues. These are the steps we tried and their outcome:
#####################################################################
When running with the Visual Studio auto generated Dockerfile + adding installed dependencies, function app itself is running but the function throws this error:
2021-05-06T16:34:11.404380645Z ---> PuppeteerSharp.ProcessException: Failed to launch Base!
[0506/163411.280771:ERROR:zygote_host_impl_linux.cc(89)] Running as root without --no-sandbox is not supported.
See https://crbug.com/638180.
#####################################################################
When adding a new non-root user:
"Failed to launch Base! [0506/181428.176134:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox!
Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md
for more information on developing with the SUID sandbox."
####################################################################
When adding this line at the end of the Dockerfile to enable namespace cloning as per suggested in the link above:
CMD["sudo sysctl -w kernel.unprivileged_userns_clone=1"]
The container logs shows this error:
"Docker API responded with status code=BadRequest, response={"message":"OCI runtime create failed:
container_linux.go:370: starting container process caused:
exec: "sudo sysctl -w kernel.unprivileged_userns_clone=1": executable file not found in $PATH: unknown"}"
Found this in a Stackoverflow thread related to this command:
"Since Docker containers share the host system's kernel and its settings, a Docker container usually can't run sysctl at all."
We have an open ticket with Microsoft with TrackingID#2104220050002234 and they suggested that we open a public issue here on GitHub.