CA
Crawlee & Apify4mo ago
extended-salmon

Chromium sandboxing failed

I run Crawlee in a docker container. That docker container is used in a Jenkins task. When starting the crawler I receive the following error: 
    Browser logs:
      Chromium sandboxing failed!
      ================================
      To avoid the sandboxing issue, do either of the following:
        - (preferred): Configure your environment to support sandboxing
        - (alternative): Launch Chromium without sandbox using 'chromiumSandbox: false' option
      ================================
    Browser logs:
      Chromium sandboxing failed!
      ================================
      To avoid the sandboxing issue, do either of the following:
        - (preferred): Configure your environment to support sandboxing
        - (alternative): Launch Chromium without sandbox using 'chromiumSandbox: false' option
      ================================
The full error log can be found in the attachment. This error only occurs after upgrading crawlee[playwright] to 0.5.2 What are the advantages/disadvantages of launching Chromium without sandbox? How could I configure my environment to support sandboxing?

message.txt

5 Replies
Hall
Hall4mo ago
Someone will reply to you shortly. In the meantime, this might help: -# This post was marked as solved by ROYOSTI. View answer.
unwilling-turquoise
unwilling-turquoise4mo ago
Hey @ROYOSTI Using a sandbox is generally safer in terms of isolating processes. Your error is probably related to the docker configuration. Try either using the official playwright docker file as a base - https://playwright.dev/python/docs/docker. Or update the configuration... possibly to use a separate user with appropriate permissions (playwright may not work when running as root user)
extended-salmon
extended-salmonOP4mo ago
Hi @Mantisus, Thanks for the quick response! I suck so hard at making docker files. So if I want to use the official docker file as base I probably need to alter my Dockerfile like this: FROM mcr.microsoft.com/playwright/python:v1.49.1-noble Do I somewhere need to use adduser? And what about the seccomp profile? What if I want to update my configuration manually by adding a separate user? Could you point me in the right direction on how to do so? My docker file looks like this: 
FROM python:3.11.2

ENV APP_HOME=/app
ENV TESTS_PATH=/app/tests
ENV PYTHONPATH=${PYTHONPATH}:${APP_HOME}:${TESTS_PATH}
ENV CRAWLEE_STORAGE_DIR=${APP_HOME}/storage

WORKDIR ${APP_HOME}

RUN pip install --upgrade pip

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

RUN pip install playwright && playwright install --with-deps

COPY . ${APP_HOME}

RUN mkdir -p ${APP_HOME}/storage

ENTRYPOINT ["python"]
FROM python:3.11.2

ENV APP_HOME=/app
ENV TESTS_PATH=/app/tests
ENV PYTHONPATH=${PYTHONPATH}:${APP_HOME}:${TESTS_PATH}
ENV CRAWLEE_STORAGE_DIR=${APP_HOME}/storage

WORKDIR ${APP_HOME}

RUN pip install --upgrade pip

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

RUN pip install playwright && playwright install --with-deps

COPY . ${APP_HOME}

RUN mkdir -p ${APP_HOME}/storage

ENTRYPOINT ["python"]
And I run it like this: 
docker run --rm -t $docker_args \
    -v /mnt/storage:/app/storage \
    -e MONGO_HOST=${MONGO_HOST} \
    -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
    -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
    -e SPAWN=${SPAWN} \
    -e MONGO_CACHE=${MONGO_CACHE} \
    ${IMAGE_NAME} $prog_args
docker run --rm -t $docker_args \
    -v /mnt/storage:/app/storage \
    -e MONGO_HOST=${MONGO_HOST} \
    -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
    -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
    -e SPAWN=${SPAWN} \
    -e MONGO_CACHE=${MONGO_CACHE} \
    ${IMAGE_NAME} $prog_args
unwilling-turquoise
unwilling-turquoise4mo ago
Try something like this. 
FROM mcr.microsoft.com/playwright/python:v1.49.1-noble

ENV APP_HOME=/app
ENV TESTS_PATH=/app/tests
ENV PYTHONPATH=${PYTHONPATH}:${APP_HOME}:${TESTS_PATH}
ENV CRAWLEE_STORAGE_DIR=${APP_HOME}/storage

WORKDIR ${APP_HOME}

RUN groupadd -r appuser && useradd -r -g appuser -m -d /home/appuser appuser \
    && mkdir -p /home/appuser/.cache \
    && chown -R appuser:appuser /home/appuser/.cache

RUN pip install --upgrade pip

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY . ${APP_HOME}
RUN mkdir -p ${APP_HOME}/storage

RUN chown -R appuser:appuser ${APP_HOME}

USER appuser

ENTRYPOINT ["python", "main.py"]
FROM mcr.microsoft.com/playwright/python:v1.49.1-noble

ENV APP_HOME=/app
ENV TESTS_PATH=/app/tests
ENV PYTHONPATH=${PYTHONPATH}:${APP_HOME}:${TESTS_PATH}
ENV CRAWLEE_STORAGE_DIR=${APP_HOME}/storage

WORKDIR ${APP_HOME}

RUN groupadd -r appuser && useradd -r -g appuser -m -d /home/appuser appuser \
    && mkdir -p /home/appuser/.cache \
    && chown -R appuser:appuser /home/appuser/.cache

RUN pip install --upgrade pip

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY . ${APP_HOME}
RUN mkdir -p ${APP_HOME}/storage

RUN chown -R appuser:appuser ${APP_HOME}

USER appuser

ENTRYPOINT ["python", "main.py"]
I have this working locally without having to configure seccomp
extended-salmon
extended-salmonOP4mo ago
Thanks @Mantisus . This fixed my issue! On my Jenkins instance (hosted on AWS EC2) I needed to add a seccomp as mentioned in the URL you shared, otherwise I would receive another error. Thanks for helping me!

Did you find this page helpful?