No usable sandbox! Update your kernel from puppeteer on RTD

[astrojuanlu]

Details

• Read the Docs project URL: https://readthedocs.org/projects/kedro/
• Build URL (if applicable): https://readthedocs.org/projects/kedro/builds/19685180/
• Read the Docs username (if applicable): https://readthedocs.org/profiles/Juanlu001/

I'm trying to render mermaid diagrams on RTD (because mgaitan/sphinxcontrib-mermaid#22) and I get an error from puppetteer:

WARNING: mermaid code 'flowchart TD\n    A{Can your Kedro pipeline run on a single machine?} -- YES --> B[Consult the single-machine deployment guide];\n    B --> C{Do you have Docker on your machine?};\n    C -- YES --> D[Use a container-based approach];\n    C -- NO --> E[Use the CLI or package mode];\n    A -- NO --> F[Consult the distributed deployment guide];\n    F --> G["What distributed platform are you using?<br/><br/>Check out the guides for:<br/><br/><li>Airflow</li><li>Argo</li><li>Prefect</li><li>Kubeflow Pipelines</li><li>AWS Batch</li><li>Databricks</li><li>Dask</li>"];\n    style G text-align:left\n    H["Does (part of) your pipeline integrate with Amazon SageMaker?<br/><br/>Read the SageMaker integration guide"];\n    style H text-align:left': Mermaid exited with error:
[stderr]
b'\nError: Failed to launch the browser process!\n[0306/105249.518236:FATAL:zygote_host_impl_linux.cc(127)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.\n#0 0x5642251997d2 base::debug::CollectStackTrace()\n#1 0x5642250f9373 base::debug::StackTrace::StackTrace()\n#2 0x5642250f62d8 logging::LogMessage::~LogMessage()\n#3 0x564223959d56 content::ZygoteHostImpl::Init()\n#4 0x56422466e13c content::ContentMainRunnerImpl::Initialize()\n#5 0x56422466b780 content::RunContentProcess()\n#6 0x56422466bb86 content::ContentMain()\n#7 0x564224c42259 headless::HeadlessShellMain()\n#8 0x564220e26255 ChromeMain\n#9 0x7ffa2b9d7d90 (/usr/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)\n#10 0x7ffa2b9d7e40 __libc_start_main\n#11 0x564220e2602a _start\n\n\n\nTROUBLESHOOTING: https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md\n\n    at onClose (file:///home/docs/.asdf/installs/nodejs/19.0.0/.npm/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/puppeteer-core/lib/esm/puppeteer/node/BrowserRunner.js:270:20)\n    at Interface.<anonymous> (file:///home/docs/.asdf/installs/nodejs/19.0.0/.npm/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/puppeteer-core/lib/esm/puppeteer/node/BrowserRunner.js:258:24)\n    at Interface.emit (node:events:525:35)\n    at Interface.close (node:internal/readline/interface:537:10)\n    at Socket.onend (node:internal/readline/interface:263:10)\n    at Socket.emit (node:events:525:35)\n    at endReadableNT (node:internal/streams/readable:1359:12)\n    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)\n\n'
[stdout]
b''

I'm using the ubuntu-22.04 image.

PR: kedro-org/kedro#2392

I read on https://stackoverflow.com/a/60797615/554319 and iridium-browser/tracker#208 that there are some ways around it but I'm not sure if they pose a security thread, or they're at all possible on RTD.

[humitos]

Hi! Thanks for reporting this issue. Unfortunately, I don't have experience with mermaid but, before jumping too deep into this issue, I'd like to ask you if you are able to build the documentation locally without any strange configuration.

In case you are, do you know if you have required to do some extra steps? (like the changes you linked to in StackOverflow, for example)

[humitos]

After a quick look, it seems safe to use --no-sandbox (https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#setting-up-chrome-linux-sandbox) argument when calling the browser since the process runs inside Docker and all the code is public.

Besides, Read the Docs does not pass private environment variables to the build process on pull requests, so those cannot be exposed either.

In case there could be a security issue, I'm not seeing it and I think it will at the same level than allowing anyone to run Python code when building your docs. So, probably not too much to worry about, "I'd say" 😄

[astrojuanlu]

I'd like to ask you if you are able to build the documentation locally without any strange configuration.

I didn't have to do anything special, but I tested it on macOS, rather than on an Ubuntu 22.04 container.

After a quick look, it seems safe to use --no-sandbox (https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#setting-up-chrome-linux-sandbox) argument when calling the browser since the process runs inside Docker and all the code is public.

I'll check who makes that subprocess call (sphinxcontrib-mermaid? mermaid-cli?) to see whether we have control or not.

In case there could be a security issue, I'm not seeing it and I think it will at the same level than allowing anyone to run Python code when building your docs. So, probably not too much to worry about, "I'd say" 😄

Thanks!

[astrojuanlu]

https://github.com/mermaidjs/mermaid.cli#linux-sandbox-issue

First and foremost, you should not run as root and you should upgrade your Linux kernel to latest version.

But if you don't want to follow the advice above and just want to disable sandbox, here you go:

That sounds pretty threatening but I guess we can go ahead - you might want to update your kernel though? 😅

[humitos]

Interesting. Can you try using "build.apt_packages" to install the latest kernel version available in the Ubuntu repositories?

We are using Ubuntu 22.04, which is the latest LTS, but we haven't rebuilt it since it's creation. I guess there are done upgrades since then.

Maybe this idea solves your issue, tho 😏

[astrojuanlu]

It will make our builds a bit longer though :/ going to try the --no-sandbox first

[astrojuanlu]

I confirm that the workaround worked:

 docs/conf.py               | 2 ++
 docs/puppeteer-config.json | 3 +++
 2 files changed, 5 insertions(+)
 create mode 100644 docs/puppeteer-config.json

diff --git a/docs/conf.py b/docs/conf.py
index 1dc02d139..ce62e0e03 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -571,3 +571,5 @@ def setup(app):
 
 # https://github.com/kedro-org/kedro/issues/1772
 mermaid_output_format = "svg"
+# https://github.com/mermaidjs/mermaid.cli#linux-sandbox-issue
+mermaid_params = ["-p", here / "puppeteer-config.json"]
diff --git a/docs/puppeteer-config.json b/docs/puppeteer-config.json
new file mode 100644
index 000000000..3201af7b7
--- /dev/null
+++ b/docs/puppeteer-config.json
@@ -0,0 +1,3 @@
+{
+  "args": ["--no-sandbox"]
+}

[humitos]

Can you try using "build.apt_packages" to install the latest kernel version available in the Ubuntu repositories?

It will make our builds a bit longer though :/

👍🏼 -- if you have the time, I'd like to know this answer, too 😄 . So, it's all contained in this issue and we know if we can suggest to other users.

BTW, thanks for sharing the workaround solution with everybody 💯

[astrojuanlu]

I just realized that, 1 month before I opened this issue, someone had already added the instructions to sphinxcontrib-mermaid 😄 mgaitan/sphinxcontrib-mermaid#106

[humitos]

I'll close this issue because I don't think there is anything we can do from the Read the Docs side, right? The original package already added a section that documents how to build it on Read the Docs at https://github.com/mgaitan/sphinxcontrib-mermaid#building-pdfs-on-readthedocsio

Feel free to reopen if you consider there is something we should do here.