Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker image fails to run when using the recommended Docker file from this repo #2668

Closed
wuno opened this issue Jun 3, 2018 · 7 comments

Comments

@wuno
Copy link

commented Jun 3, 2018

I created a Nuxt.js application which uses Puppeteer in an express end point. The application only works on localhost Mac OS. When I run the application in Cloud Foundry Linux Debian that specific route times out as I have seen other people on the internet have the same problem when deploying to a Debian production environment.

Due to this, I decided to use the Docker example from this repo. I put my application in Docker and was able to replicate my initial issue. At this point I moved to update the Docker file with the recommended Docker file in this repo which has since then produced this error.

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

I have tried every thing that exists on the internet to overcome this. What steps must I take beyond the recommendation for the Docker file to run this image?

I would be happy to run it as root with --no-sandbox but I am not sure how that can be done from the Docker file.

Due to the trouble I have faced I am wondering if this is a bug?

What steps will reproduce the problem?

Create Docker file, paste the Docker file from this repo in and

Run -
docker build -t user/pdf-generator .

Then run -
docker run -p 3000:300 user/pdf-generator

Please include code that reproduces the issue.

My Docker file -

FROM node:8-slim

RUN apt-get update && apt-get install -yq libgconf-2-4

RUN apt-get update && apt-get install -y wget --no-install-recommends \
    && wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \
    && sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \
    && apt-get update \
    && apt-get install -y google-chrome-unstable fonts-ipafont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-kacst ttf-freefont \
      --no-install-recommends \
    && rm -rf /var/lib/apt/lists/* \
    && apt-get purge --auto-remove -y curl \
    && rm -rf /src/*.deb

ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64 /usr/local/bin/dumb-init
RUN chmod +x /usr/local/bin/dumb-init

RUN npm i puppeteer

# Add user so we don't need --no-sandbox.
RUN groupadd -r pptruser && useradd -r -g pptruser -G audio,video pptruser \
    && mkdir -p /home/pptruser/Downloads \
    && chown -R pptruser:pptruser /home/pptruser \
    && chown -R pptruser:pptruser /node_modules

USER pptruser

ENTRYPOINT ["dumb-init", "--"]
CMD ["google-chrome-unstable"]

My run command -

docker run -p 3000:300 user/pdf-generator

What steps further must be taken to run this image?

What is the expected result?
I expect to enter the run command and the Docker image to start running without throwing an error.

What happens instead?

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

@CoreyCole

This comment has been minimized.

Copy link
Contributor

commented Jun 6, 2018

have you tried not using the -slim tag? For node:slim

This image does not contain the common packages contained in the default tag and only contains the minimal packages needed to run node. Unless you are working in an environment where only the node image will be deployed and you have space constraints, we highly recommend using the default image of this repository.

@aslushnikov

This comment has been minimized.

Copy link
Collaborator

commented Jun 29, 2018

@ebidel: should we recommend some bullet-proof docker image instead? It looks like the instructions for the Dockercontainer in our troubleshooting.md are getting outdated. It'd be nice to have something real and maintained.

@ebidel

This comment has been minimized.

Copy link
Contributor

commented Jun 29, 2018

The problem is that the env you run the container on matters. For example, if it doesn't support namespaces then adding a user and running chrome/puppeteer as that user won't work :(

Not sure what Cloud Foundry Linux Debian contains. I can test our Dockerfile again to make sure it's still working and up to date, but maybe we should be recommending --no-sandbox to support the largest number of cloud envs?

@wuno

This comment has been minimized.

Copy link
Author

commented Jun 29, 2018

Here is what finally worked for me,

FROM node:8
ENV HOST 0.0.0.0
EXPOSE 8080
RUN apt-get update

# for https
RUN apt-get install -yyq ca-certificates
# install libraries
RUN apt-get install -yyq libappindicator1 libasound2 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgcc1 libgconf-2-4 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libnss3 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6
# tools
RUN apt-get install -yyq gconf-service lsb-release wget xdg-utils
# and fonts
RUN apt-get install -yyq fonts-liberation

RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN mkdir -p /usr/src/app/views

# install the necessary packages
RUN npm install

CMD npm run start

Then I ran Puppeteer like this,

  try {
      (async () => {
        const browser = await puppeteer.launch({ args: ['--no-sandbox', '--disable-setuid-sandbox'], ignoreHTTPSErrors: true, dumpio: false });
        const page = await browser.newPage();
        await page.goto(
            `https://pdf-example.com/${template}?data=${JSON.stringify(req.body)}`
        );
        const pdfBuffer = await page.pdf({
          format: 'A4',
          margin: {
            top: '20px',
            left: '20px',
            right: '20px',
            bottom: '20px',
          },
        });
        await browser.close();

        res.writeHead(200, {
           'Content-Type': 'application/pdf',
           'Content-disposition': `attachment; filename= + ${template}.pdf`,
           'Content-Length': pdfBuffer.length
        });

        res.end(pdfBuffer);

      })();
  } catch (err) {
      res.json({ status: "Failed", message: "Something went wrong rendering your PDF. Please try again.", error: err })
  }

After days of working on this, it finally works with this config. I am not sure what the major differences are between what I have and what was suggested. But I can say that this works perfectly.

@QuentinLB

This comment has been minimized.

Copy link

commented Jul 9, 2018

I second this issue, I tried to run pptr with a similar Dockerfile (node8-slim, chrome-stable, add pptruser, dumb-init) and got the same error when launched without the --no-sandbox flag.

@ebidel

but maybe we should be recommending --no-sandbox to support the largest number of cloud envs?

I think you're the best judges on this matter, in my situation the container will run in my company private network so I'm not that concerned by security but I can see usecases where this is important.

@joemccann

This comment has been minimized.

Copy link

commented Aug 19, 2018

@wuno thanks for your hard work. The { args: ['--no-sandbox', '--disable-setuid-sandbox'], ignoreHTTPSErrors: true, dumpio: false } piece is what got it to work for me.

@aslushnikov aslushnikov added the chromium label Dec 6, 2018

@aslushnikov

This comment has been minimized.

Copy link
Collaborator

commented Jan 10, 2019

We now have a docker image that we use for testing - Dockerfile.linux. Since it's in our CI pipeline, it is guaranteed to be up-to-date.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.