Apify

Apify Discord Mirror

Updated 3 days ago

Chromium sandboxing failed

Crawlee
At a glance
The community member is running Crawlee in a Docker container used in a Jenkins task, and is encountering an error related to Chromium sandboxing. To resolve this, the community member can either configure the environment to support sandboxing (preferred) or launch Chromium without the sandbox using the 'chromiumSandbox: false' option. Another community member suggests using the official Playwright Docker image as a base and creating a separate user with appropriate permissions. The provided Dockerfile example demonstrates this approach, which involves creating an 'appuser' and running the application as that user. The community member confirms that this solution fixed the issue, but on their Jenkins instance hosted on AWS EC2, they also needed to add a seccomp profile as mentioned in the shared URL.
Useful resources
RROYOSTI
ยท
I run Crawlee in a docker container. That docker container is used in a Jenkins task.
When starting the crawler I receive the following error:
Plain Text
    Browser logs:
      Chromium sandboxing failed!
      ================================
      To avoid the sandboxing issue, do either of the following:
        - (preferred): Configure your environment to support sandboxing
        - (alternative): Launch Chromium without sandbox using 'chromiumSandbox: false' option
      ================================

The full error log can be found in the attachment.
This error only occurs after upgrading crawlee[playwright] to 0.5.2

What are the advantages/disadvantages of launching Chromium without sandbox? How could I configure my environment to support sandboxing?
MMantisus
Marked as solution
Try something like this.

Plain Text
FROM mcr.microsoft.com/playwright/python:v1.49.1-noble

ENV APP_HOME=/app
ENV TESTS_PATH=/app/tests
ENV PYTHONPATH=${PYTHONPATH}:${APP_HOME}:${TESTS_PATH}
ENV CRAWLEE_STORAGE_DIR=${APP_HOME}/storage

WORKDIR ${APP_HOME}

RUN groupadd -r appuser && useradd -r -g appuser -m -d /home/appuser appuser \
    && mkdir -p /home/appuser/.cache \
    && chown -R appuser:appuser /home/appuser/.cache

RUN pip install --upgrade pip

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY . ${APP_HOME}
RUN mkdir -p ${APP_HOME}/storage

RUN chown -R appuser:appuser ${APP_HOME}

USER appuser

ENTRYPOINT ["python", "main.py"]


I have this working locally without having to configure seccomp
View full solution
M
R
4 comments
MMantisus
Hey @ROYOSTI

Using a sandbox is generally safer in terms of isolating processes.

Your error is probably related to the docker configuration.

Try either using the official playwright docker file as a base - https://playwright.dev/python/docs/docker.

Or update the configuration... possibly to use a separate user with appropriate permissions (playwright may not work when running as root user)
RROYOSTI
Hi @Mantisus,

Thanks for the quick response!

I suck so hard at making docker files. So if I want to use the official docker file as base I probably need to alter my Dockerfile like this:
FROM mcr.microsoft.com/playwright/python:v1.49.1-noble

Do I somewhere need to use adduser? And what about the seccomp profile?

What if I want to update my configuration manually by adding a separate user? Could you point me in the right direction on how to do so?

My docker file looks like this:
Plain Text
FROM python:3.11.2

ENV APP_HOME=/app
ENV TESTS_PATH=/app/tests
ENV PYTHONPATH=${PYTHONPATH}:${APP_HOME}:${TESTS_PATH}
ENV CRAWLEE_STORAGE_DIR=${APP_HOME}/storage

WORKDIR ${APP_HOME}

RUN pip install --upgrade pip

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

RUN pip install playwright && playwright install --with-deps

COPY . ${APP_HOME}

RUN mkdir -p ${APP_HOME}/storage

ENTRYPOINT ["python"]


And I run it like this:
Plain Text
docker run --rm -t $docker_args \
    -v /mnt/storage:/app/storage \
    -e MONGO_HOST=${MONGO_HOST} \
    -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
    -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
    -e SPAWN=${SPAWN} \
    -e MONGO_CACHE=${MONGO_CACHE} \
    ${IMAGE_NAME} $prog_args
MMantisus
Try something like this.

Plain Text
FROM mcr.microsoft.com/playwright/python:v1.49.1-noble

ENV APP_HOME=/app
ENV TESTS_PATH=/app/tests
ENV PYTHONPATH=${PYTHONPATH}:${APP_HOME}:${TESTS_PATH}
ENV CRAWLEE_STORAGE_DIR=${APP_HOME}/storage

WORKDIR ${APP_HOME}

RUN groupadd -r appuser && useradd -r -g appuser -m -d /home/appuser appuser \
    && mkdir -p /home/appuser/.cache \
    && chown -R appuser:appuser /home/appuser/.cache

RUN pip install --upgrade pip

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY . ${APP_HOME}
RUN mkdir -p ${APP_HOME}/storage

RUN chown -R appuser:appuser ${APP_HOME}

USER appuser

ENTRYPOINT ["python", "main.py"]


I have this working locally without having to configure seccomp
RROYOSTI
Thanks @Mantisus . This fixed my issue!
On my Jenkins instance (hosted on AWS EC2) I needed to add a seccomp as mentioned in the URL you shared, otherwise I would receive another error. Thanks for helping me!
Add a reply
Sign up and join the conversation on Discord