Avoid --no-sandbox with a non-root user.

[grayside]

The Official Puppeteer Docker guidance includes various steps to avoid operating as a root user, which allows sidestepping the sandbox issues. I configured something based on the official docs, with a bit of flare for this project, by adding the following layers to my Dockerfile:

# Add user so we don't need --no-sandbox.
RUN groupadd -r pptruser && useradd -r -g pptruser -G audio,video pptruser \
    && mkdir -p /home/pptruser/Downloads \
    && chown -R pptruser:pptruser /home/pptruser \
    && chown -R pptruser:pptruser /screenshots \
    && chown -R pptruser:pptruser /usr/local/share/.config/yarn/global/node_modules

USER pptruser

[wkerswell-gresham]

Does this allows you to run without --no-sandbox? If so should we pull request this back in as its a feature we would also like?

Edit: Actually looking at this and docker file source this is already in there. Our issue must be somewhere else.

[grayside]

At the time I filed this, the code snippet above was not present in the Dockerfile. Have you tried a docker pull to see if the change has propagated to your machine?

[wkerswell-gresham]

We are using Jenkins so the build nodes are new every time and the latest image will be pulled from dockerhub.

[wuno]

@grayside would you please mind sharing your Docker file?

I have been all over the internet to figure out the correct way to run my node project which uses Puppeteer in Docker. No matter what I have tried I end up with,

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

I copied in the exact Docker file from here and I still get the same errors.

Any help or examples would be greatly appreciated.

The other thing I tried was running as root instead of switching to pptruser. When I do that it throws an error about needing to run with

--no-sandbox

I have not been able to figure out how to pass --no-sandbox to Docker when I run to get past that error. If you know how to overcome either one of these problems it would be helpful to us.

[grayside]

Here is the project: https://github.com/phase2/docker-pa11y

The current master branch is likely broken, this PR needs a bit more testing but better reflects what you would mimic: phase2/docker-pa11y#8