GNU bug report logs - #44891
Chromium does not start

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 44891 in the body.
You can then email your comments to 44891 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Andrea Rossi <p <at> a9i.it>
To: bug-guix <at> gnu.org
Subject: Chromium does not start
Date: Thu, 26 Nov 2020 16:53:29 +0100

[Message part 1 (text/plain, inline)]

Hi,
after the installation of ungoogled-chromium I tried to run it,
receiving this message:

[20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)] No
usable sandbox! Update your kernel or see
https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux/suid_sandbox_development.md
for more information on developing with the SUID sandbox. If you want to
live dangerously and need an immediate workaround, you can try using
--no-sandbox.

Maybe I'm missing something, or is the case of a proper bug?

Regards,
-- 
Andrea

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: raingloom <raingloom <at> riseup.net>
To: Andrea Rossi via Bug reports for GNU Guix <bug-guix <at> gnu.org>
Cc: Andrea Rossi <p <at> a9i.it>, 44891 <at> debbugs.gnu.org
Subject: Re: bug#44891: Chromium does not start
Date: Fri, 27 Nov 2020 04:41:11 +0100

On Thu, 26 Nov 2020 16:53:29 +0100
Andrea Rossi via Bug reports for GNU Guix <bug-guix <at> gnu.org> wrote:

> Hi,
> after the installation of ungoogled-chromium I tried to run it,
> receiving this message:
> 
> [20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)]
> No usable sandbox! Update your kernel or see
> https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux/suid_sandbox_development.md
> for more information on developing with the SUID sandbox. If you want
> to live dangerously and need an immediate workaround, you can try
> using --no-sandbox.
> 
> Maybe I'm missing something, or is the case of a proper bug?
> 
> Regards,

Saw a similar issue on Arch recently, my guess is that the sandbox
binary (I don't remember its name or path) is missing the execute
permission bit.
Not sure how to fix that on Guix, since modifying a store item is
generally a big no-no. You could maybe write a quick and dirty package
that takes ungoogled-chromium as its only input, copies it (or just
creates symlinks?), and runs chmod +x on the sandbox binary.
That way you don't have to recompile the whole package.

Message #14 received at 44891 <at> debbugs.gnu.org (full text, mbox):

From: Giovanni Biscuolo <g <at> xelera.eu>
To: Andrea Rossi <p <at> a9i.it>, 44891 <at> debbugs.gnu.org
Subject: Re: bug#44891: Chromium does not start
Date: Fri, 27 Nov 2020 09:32:34 +0100

[Message part 1 (text/plain, inline)]

Ciao Andrea,

To the list: Andrea is a friend and a collegue, I'm helping him starting
using Guix as a package manager.

Andrea: next time when reporting bugs on Guix please mention you are
using it on a foreign distro (not as Guix System), in your case Debian.

Andrea Rossi via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:

> after the installation of ungoogled-chromium I tried to run it,
> receiving this message:
>
> [20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)] No
> usable sandbox! Update your kernel or see
> https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux/suid_sandbox_development.md
> for more information on developing with the SUID sandbox. If you want to
> live dangerously and need an immediate workaround, you can try using
> --no-sandbox.
>
> Maybe I'm missing something, or is the case of a proper bug?

In Jan this year I had the same issue, reported in help-guix, on Debian
as foreign distro and Marius Bakke [1] helped me solve it:

1. sudo sysctl -w kernel.unprivileged_userns_clone=1
2. sudo su -c "echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf"

This is because (ungoogled-)chromium sandbox relies on user namespaces
support in the kernel but Debian [2] disables user namespaces by
default, the above commands enables them for your current boot session
and permanently for next reboots.

Andrea please try the above fixes and tell us if they solve your issue.

Ciao, Gio'


[1] https://lists.gnu.org/archive/html/help-guix/2020-01/msg00059.html

[2] Chromium on Debian uses an alternative sandboxing method that relies
on a setuid binary, Guix do not use this :-)

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 44891 <at> debbugs.gnu.org (full text, mbox):

From: Giovanni Biscuolo <g <at> xelera.eu>
To: raingloom <raingloom <at> riseup.net>, 44891 <at> debbugs.gnu.org
Cc: p <at> a9i.it
Subject: Re: bug#44891: Chromium does not start
Date: Fri, 27 Nov 2020 09:40:40 +0100

[Message part 1 (text/plain, inline)]

Hi raingloom,

raingloom <raingloom <at> riseup.net> writes:

> On Thu, 26 Nov 2020 16:53:29 +0100
> Andrea Rossi via Bug reports for GNU Guix <bug-guix <at> gnu.org> wrote:

[...]

>> [20998:20998:1126/122306.639343:FATAL:zygote_host_impl_linux.cc(117)]
>> No usable sandbox! Update your kernel or see
>> https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux/suid_sandbox_development.md
>> for more information on developing with the SUID sandbox. If you want
>> to live dangerously and need an immediate workaround, you can try
>> using --no-sandbox.

[...]

> Saw a similar issue on Arch recently, my guess is that the sandbox
> binary (I don't remember its name or path) is missing the execute
> permission bit.

As reported in my previous reply to Andrea, AFAIU (thanks Marius Bakke)
Chromium can use two methods to start the sandbox:

1. use the SUID binary
2. use user namespaces

AFAIU the second is better and anyway it's the method used by Guix
ungoogled-chromium

> Not sure how to fix that on Guix, since modifying a store item is
> generally a big no-no. You could maybe write a quick and dirty package
> that takes ungoogled-chromium as its only input, copies it (or just
> creates symlinks?), and runs chmod +x on the sandbox binary.
> That way you don't have to recompile the whole package.

Non need for all this :-D

Thanks, Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 44891 <at> debbugs.gnu.org (full text, mbox):

From: Andrea Rossi <p <at> a9i.it>
To: 44891 <at> debbugs.gnu.org
Subject: Re: bug#44891: Chromium does not start
Date: Fri, 27 Nov 2020 11:55:17 +0100

On 27/11/20 09:32, Giovanni Biscuolo wrote:
> [...]
> 1. sudo sysctl -w kernel.unprivileged_userns_clone=1
> 2. sudo su -c "echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf"
> 

It works!

Thanks,
Andrea

Message #25 received at 44891-done <at> debbugs.gnu.org (full text, mbox):

From: Giovanni Biscuolo <g <at> xelera.eu>
To: Andrea Rossi <p <at> a9i.it>, 44891-done <at> debbugs.gnu.org
Subject: Re: bug#44891: Chromium does not start
Date: Fri, 27 Nov 2020 16:29:12 +0100

[Message part 1 (text/plain, inline)]

Andrea Rossi via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:

> On 27/11/20 09:32, Giovanni Biscuolo wrote:
>> [...]
>> 1. sudo sysctl -w kernel.unprivileged_userns_clone=1
>> 2. sudo su -c "echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf" 
>
> It works!

Fine! Closing this bug.

Ciao, Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.