Chromium does not start

  • Done
  • quality assurance status badge
Details
3 participants
  • Giovanni Biscuolo
  • Andrea Rossi
  • raingloom
Owner
unassigned
Submitted by
Andrea Rossi
Severity
normal
A
A
Andrea Rossi wrote on 26 Nov 2020 16:53
(address . bug-guix@gnu.org)
5cf157d8-7da4-c0b7-090a-c233775fffc1@a9i.it
Hi,
after the installation of ungoogled-chromium I tried to run it,
receiving this message:

[20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)] No
usable sandbox! Update your kernel or see
for more information on developing with the SUID sandbox. If you want to
live dangerously and need an immediate workaround, you can try using
--no-sandbox.

Maybe I'm missing something, or is the case of a proper bug?

Regards,
--
Andrea
Attachment: OpenPGP_signature
R
R
raingloom wrote on 27 Nov 2020 04:41
(name . Andrea Rossi via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
20201127044111.21669b76@riseup.net
On Thu, 26 Nov 2020 16:53:29 +0100
Andrea Rossi via Bug reports for GNU Guix <bug-guix@gnu.org> wrote:

Toggle quote (15 lines)
> Hi,
> after the installation of ungoogled-chromium I tried to run it,
> receiving this message:
>
> [20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)]
> No usable sandbox! Update your kernel or see
> https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux/suid_sandbox_development.md
> for more information on developing with the SUID sandbox. If you want
> to live dangerously and need an immediate workaround, you can try
> using --no-sandbox.
>
> Maybe I'm missing something, or is the case of a proper bug?
>
> Regards,

Saw a similar issue on Arch recently, my guess is that the sandbox
binary (I don't remember its name or path) is missing the execute
permission bit.
Not sure how to fix that on Guix, since modifying a store item is
generally a big no-no. You could maybe write a quick and dirty package
that takes ungoogled-chromium as its only input, copies it (or just
creates symlinks?), and runs chmod +x on the sandbox binary.
That way you don't have to recompile the whole package.
G
G
Giovanni Biscuolo wrote on 27 Nov 2020 09:32
87r1of9p3x.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me
Ciao Andrea,

To the list: Andrea is a friend and a collegue, I'm helping him starting
using Guix as a package manager.

Andrea: next time when reporting bugs on Guix please mention you are
using it on a foreign distro (not as Guix System), in your case Debian.

Andrea Rossi via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

Toggle quote (12 lines)
> after the installation of ungoogled-chromium I tried to run it,
> receiving this message:
>
> [20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)] No
> usable sandbox! Update your kernel or see
> https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux/suid_sandbox_development.md
> for more information on developing with the SUID sandbox. If you want to
> live dangerously and need an immediate workaround, you can try using
> --no-sandbox.
>
> Maybe I'm missing something, or is the case of a proper bug?

In Jan this year I had the same issue, reported in help-guix, on Debian
as foreign distro and Marius Bakke [1] helped me solve it:

1. sudo sysctl -w kernel.unprivileged_userns_clone=1
2. sudo su -c "echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf"

This is because (ungoogled-)chromium sandbox relies on user namespaces
support in the kernel but Debian [2] disables user namespaces by
default, the above commands enables them for your current boot session
and permanently for next reboots.

Andrea please try the above fixes and tell us if they solve your issue.

Ciao, Gio'



[2] Chromium on Debian uses an alternative sandboxing method that relies
on a setuid binary, Guix do not use this :-)

--
Giovanni Biscuolo

Xelera IT Infrastructures
-----BEGIN PGP SIGNATURE-----

iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAl/AuaMMHGdAeGVsZXJh
LmV1AAoJENN9DqfOzDkSkc4QAK1UeURf2Hz7HRrvLHwCVg6VfPsVKVoy2mmPWvgV
DasWT2uC8VDnDYb0PSOm+2Rc847Wbol7Kowp/Xeqy+RyEX6Z3ZDIeXoffzqAGN7v
delwcUJ2cWTLxWhlVu49iNEDVgSZQHxrQ6U9sNhMBi15Bd3x0fWAH4iY8RGmBPGc
D/5p+MbAZwoU58mALNZRWWwW2w0Yt71frPRkeW2UCN84X8++W1ZT0HtNz4jcHUDk
3tEJF1YPTr4MhnDZLVp2VifTFQ5E/4KIP8WFxBBiiH31waaOa0eamQJ52pf1BoUH
3maMa0zA47vPTmBEy98F7AznOajUQ87ME4V0g9m1NqkdJZV1uQ0eixiH3l0mXa9V
JfhCfLgo7BPiFwTgau//TCzEEaINY5hU3QzD2nxKBvDnmk/igOrHQO2w0PgOdZ1i
b+ws9xUAZG+CXZtHT6kf8VYVuDeMUBqMXCQgK8Kw3jTFRQbQXEZnTeZIhFAiZlcK
RosxuVA1AUzY0sYOnq3hLdF6zijnug0/PzgzpaRkN5xKD59wsDcOqGUdNz1LY+dZ
LVZf/sMuBNZPb4kwcwQ/f0u727FQrZeTAGOKT5SMSDqLDbtLWIjJlFmTwpLz3y2d
T6CY9YxSSqj0MfLEvQvPqkWJWXVjDKVe+CWwkgmLsi7cd0WLaPVVUs2eVBtfy+Un
HkVA
=yEgP
-----END PGP SIGNATURE-----

G
G
Giovanni Biscuolo wrote on 27 Nov 2020 09:40
(address . p@a9i.it)
87o8jj9oqf.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me
Hi raingloom,

raingloom <raingloom@riseup.net> writes:

Toggle quote (3 lines)
> On Thu, 26 Nov 2020 16:53:29 +0100
> Andrea Rossi via Bug reports for GNU Guix <bug-guix@gnu.org> wrote:

[...]

Toggle quote (7 lines)
>> [20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)]
>> No usable sandbox! Update your kernel or see
>> https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux/suid_sandbox_development.md
>> for more information on developing with the SUID sandbox. If you want
>> to live dangerously and need an immediate workaround, you can try
>> using --no-sandbox.

[...]

Toggle quote (4 lines)
> Saw a similar issue on Arch recently, my guess is that the sandbox
> binary (I don't remember its name or path) is missing the execute
> permission bit.

As reported in my previous reply to Andrea, AFAIU (thanks Marius Bakke)
Chromium can use two methods to start the sandbox:

1. use the SUID binary
2. use user namespaces

AFAIU the second is better and anyway it's the method used by Guix
ungoogled-chromium

Toggle quote (6 lines)
> Not sure how to fix that on Guix, since modifying a store item is
> generally a big no-no. You could maybe write a quick and dirty package
> that takes ungoogled-chromium as its only input, copies it (or just
> creates symlinks?), and runs chmod +x on the sandbox binary.
> That way you don't have to recompile the whole package.

Non need for all this :-D

Thanks, Gio'

--
Giovanni Biscuolo

Xelera IT Infrastructures
-----BEGIN PGP SIGNATURE-----

iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAl/Au4kMHGdAeGVsZXJh
LmV1AAoJENN9DqfOzDkSuoIQAMePQbBpUWKGR3dYrtcajWAnbewc1vffGxaiejyx
tI7bFrNBw1Dh6PWkrtJtosF5Bzhi9O4xyPMJmJJgZC3ll2jfT56hNURuK18uhYMX
3LdR+AxPEfvYd4SJtOdpC907/hZR06211oCJmc0Xl9LVxbKJ2WRqGOTXRpf0gw3w
OheWy3zPPhpopcs7SCtMdq1T/T1SbV4yl54B0JgMhfQ3RQ6Hs5u69MVIlEAry7yr
7eH40oq3fxs/cJua+LuK5PkWqdn7z8nm7yUjKOey1MNccMhqWEt6Rtx2cbADRSDC
ZadmwdSoHKs66bEXjYs411ViHwnRbN0qfkNW0IbhLNfrngyEc1tZvK4g7N3tunlq
mldLs5T0AB4uR4MQhhcwvG5sQ9znlJLdw/B5Wo/BOEVYfwDPPkj6kaTAR1FYHfht
BGBUZVjE085O2grhfJMWzcEbK6K2Yz32MkPAMPaP19//yDYh17Mg1++D9KgtrH1M
kUI5rRNSfkiinSKd9RTknVylg3WJ+PnGYx4Dy5nw5oOJwRo1Z5FbW/krF0uEVX4O
5DwbSYCxvrz+xPMCtsE+iq33ysoGwJeIokgcIdVC2upjdk6D2U7a1YB4xfrOAjrI
eYXAryLknkv/XPAapS1PDn7PwPq+kbdPVKCe4fF5D+ZtC1s5CMV7XYKjT5bfp+p6
y1RP
=C1rw
-----END PGP SIGNATURE-----

A
A
Andrea Rossi wrote on 27 Nov 2020 11:55
(address . 44891@debbugs.gnu.org)
b7da60df-7aed-86bb-4e07-53317371d032@a9i.it
On 27/11/20 09:32, Giovanni Biscuolo wrote:
Toggle quote (5 lines)
> [...]
> 1. sudo sysctl -w kernel.unprivileged_userns_clone=1
> 2. sudo su -c "echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf"
>

It works!

Thanks,
Andrea
G
G
Giovanni Biscuolo wrote on 27 Nov 2020 16:29
878sam95tj.fsf@biscuolo.net
Andrea Rossi via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

Toggle quote (7 lines)
> On 27/11/20 09:32, Giovanni Biscuolo wrote:
>> [...]
>> 1. sudo sysctl -w kernel.unprivileged_userns_clone=1
>> 2. sudo su -c "echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf"
>
> It works!

Fine! Closing this bug.

Ciao, Gio'

--
Giovanni Biscuolo

Xelera IT Infrastructures
-----BEGIN PGP SIGNATURE-----

iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAl/BG0gMHGdAeGVsZXJh
LmV1AAoJENN9DqfOzDkSRi4QAKEVXYNKeU5ZZqDFUkj2EBRDQ1+ZXS8RcIimS6Ms
tqxsqqR/S08NdD5PpVMPBW+lYI3KFSXcBTETn/OLowa70PuhWO7vzPlfMlZU5fJe
gnVhPRjk8YwxJTq70rdLY1+2ib7xi7fLU5+PEDFCXL+MaWIf4ao7vQtASA1V583V
SkF4HMVwa4eVSeL4eivjkUnDFMbN3674bQGDf6KC8MgisOOqrnPd29AYlYqcOm8H
IYP8nDfPFVlP1Sec2+ESM6L56eOj9Lws4F/fLZB41WQeiwgLS84E2h7SkIFUV8bn
WQ9PdamUqG0oLJbdasBM5B8iilqGPQ8ze7B3slsnVtipo1qIzCnvhgf8URNX3Gq5
OrDX93oqcpNpjoe6zr0wsT8slunF4bIDp+I/Aal9Hu+HeaQQTcpzc+HhhXmhIMrl
VKLEZmgNPk4vIh0jfX2DgH2B8fA+LK7qZM21uzlyb72OY5B6iyl5q11saP1B3N+W
nTt5+4pO0mpYMBmn6bPGugXQbD9Ua8v7O3ZptGHh17F/GPLiSR3/smwSLLGRi+k3
Iuc7BJL3L3S/zCeSBnoPp+wE8dOoOMbJRrvJfsjrE9z5U5W1/5LLYjRQImTKpK84
6Lp/mWWKx/q3P1/YBLxW+ecg2GcX1uP50DQMZXf/+MPddYqQCkTLbfIl3j91KJVw
g8sO
=YI2L
-----END PGP SIGNATURE-----

Closed
?