[chrome-headless] The SUID sandbox helper binary was found, but is not configured correctly

[zackw]

Attempting to run the current version of the chrome-headless image fails with this error:

[1:1:1025/214033.788392:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755.

I believe this is because the Dockerfile forcibly overrides ownership of the contents of /opt/google/chrome and thus clears the set-id bit on /opt/google/chrome/chrome-sandbox. That directory belongs to the google-chrome-stable package, so it shouldn't need its ownership changed.

Deleting the line

&& mkdir -p /opt/google/chrome && chown -R chrome:chrome /opt/google/chrome

(and the backslash at the end of the previous line) from the Dockerfile produces an image that works, at least in --cap-add=SYS_ADMIN mode. (I've never been able to get the seccomp approach to do anything other than crash on startup.)

[dejanzelic]

Ran into the same thing, your solution worked for me as well

[seyfer]

docker logs 7f12905ee2a4
[1230/203559.326607:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755.
Failed to generate minidump.

same for me

[zantiu]

I have the same problem, but only on Centos. On Windows it runs fine. Both in --cap-add=SYS_ADMIN mode.

[zackw]

@zantiu Yes, this is a Unix-specific issue. Neither set-uid helper binaries nor --cap-add=SYS_ADMIN are meaningful on Windows, as far as I know.