browser icon indicating copy to clipboard operation
browser copied to clipboard

Published 20 hours ago verified publisher icon lightpanda-io

PermissionDenied

Open bassra opened this issue 1 year ago • 8 comments

Hi,

I download build from https://github.com/lightpanda-io/browser/releases/download/nightly/lightpanda-x86_64-linux

and try to run in docker but it fails everytime with following error, i tried different ports but couldn’t succeed.

info(cli): Server mode: listening on 0.0.0.0:9223...
error: PermissionDenied

bassra avatar Nov 24 '24 05:11 bassra

if i build the docker locally and run it, it gives following error.

docker run -it  -p 3245:3245 lightpanda:latest
info(cli): Server mode: listening on 0.0.0.0:3245...
info(server): accepting new conn...
error(server): accept error: error.WouldBlock
error(server): Server error: error.WouldBlock

bassra avatar Nov 24 '24 08:11 bassra

Hello @bassra, thank you for testing the browser :pray:

I think the issue is due to docker's default seccomp profile blocking io_uring. See https://github.com/moby/moby/issues/47532.

Can you try to run your container w/ --privileged option?

Note 1: On my local test I wasn't able to stop the container correctly, I had to kill it manually. I don't know what's wrong :thinking:

~Note 2: about your tests, for now, the binary doesn't expose directly a websocket server for CDP, but an internal protocol instead.~ ~You will have to use a gateway server until we finish the websocket (WIP).~

~If your interested, I can share with you the gateway binary.~

Thanks to #310 you can directly use lightpanda now.

Note 3: I tried to retrieve a webpage directly with the lightpanda https://google.com command, but the final container doesn't include ca certificates, that's something we have to fix.

krichprollsch avatar Nov 24 '24 09:11 krichprollsch

hello @bassra, about my Note 2, thanks to #310 the websocket is now directly intergrated. No need to have an additional gateway.

krichprollsch avatar Dec 02 '24 08:12 krichprollsch

@krichprollsch is this issue still open? After the latest update I was able to build the docker but if I try to run it, I received the PermissionDenied error, here some examples:

sudo docker run -it lightpanda:latest
error: PermissionDenied

sudo docker run -it  -p 3245:3245 lightpanda:latest --privileged
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "--privileged": executable file not found in $PATH: unknown.

Ikedio avatar Jan 17 '25 14:01 Ikedio

@Ikedio the --privileged option must be passed before the first argument.

Additional notes:

  • expose the port 9222 instead if 3245. 9222 is for the traditionnal websocket connection. The other port is deprecated
  • the server doesn't handle CTRL+C to shutdown into the docker container. It's a bug. You have to use a docker stop <your container> to stop it.
$ docker run -it --privileged  -p 9222:9222 lightpanda:latest

krichprollsch avatar Jan 17 '25 14:01 krichprollsch

Thanks @krichprollsch , worked like a charm. I'll leave there a docker-compose.yml example, it could be helpful for someone else.

---
services:
  lightpanda:
    image: lightpanda:latest
    container_name: lightpanda
    privileged: true
    ports:
      - "9222:9222"
    restart: always

Ikedio avatar Jan 17 '25 15:01 Ikedio

@krichprollsch is there any other way to solve this issue without adding --privileged access? Just running a headless browser in a container but having full host access doesn't seems right...

0wx avatar Feb 26 '25 23:02 0wx

Hello @0wx, One solution to avoid the usage of --privileged is to provide a seccomp profile with the option --security-opt seccomp=profile.json. Unfortunately we don't have a profile made for Lightpanda. But we are open to PR if you want to create one :)

Jessie Frazelle wrote an interesting blog post on the subject. She shared a profile for chrome which could be a good start too.

krichprollsch avatar Feb 27 '25 08:02 krichprollsch

Surprisingly, I cannot make it work, even with --privileged (that I would like to avoid using btw) 🤔

~/d/r/b/local ❯❯❯ docker run -it --privileged --platform linux/amd64 --rm andalouse/lightpanda-browser:nightly-amd64 bash
root@8e0211b2a218:/# /bin/lightpanda
error(io): io_uring is not available
error(io): likely cause: the syscall is disabled by seccomp
$time=1749033055749 $scope=app $level=fatal $msg=exit err=SystemOutdated

Any idea anyone?

redox avatar Jun 04 '25 10:06 redox

Hello @redox, thanks for your message. I can't reproduce your issue w/ my Linux, can you share the specs of the machine you are using please?

krichprollsch avatar Jun 16 '25 23:06 krichprollsch

Hello @redox, thanks for your message. I can't reproduce your issue w/ my Linux, can you share the specs of the machine you are using please?

Oh yeah, I'm not surprised it works on Linux... I'm on macOS with a M1/apple silicon...

redox avatar Jun 17 '25 06:06 redox

@redox we added a linux/arm version version. We also published an official image multi arch docker image: https://hub.docker.com/r/lightpanda/browser

But it seems docker desktop blocked io_uring in the linux VM kernel.

  • https://forums.docker.com/t/4-42-0-and-io-uring/148620
  • https://github.com/docker/for-mac/issues/7707

A solution would be to enable the kernel syscall into the linux VM hosting docker, but idk how to do that on docker desktop.

The problem will not happen on real linux instance.

What do you use to run docker on your mac?

krichprollsch avatar Jul 02 '25 16:07 krichprollsch

Hello here, we switched our loop and we don't need --privileged option anymore w/ docker. @redox could you take the time to re-test the issue please? 🙏

krichprollsch avatar Oct 24 '25 07:10 krichprollsch

Hello here, we switched our loop and we don't need --privileged option anymore w/ docker. @redox could you take the time to re-test the issue please? 🙏

I couldn't test without the --privileged on my M4 with both --platform linux/arm64 and --platform linux/amd64: they didn't complain about io_uring but I don't get why it doesn't output anything:

❯❯❯ docker run -it --platform linux/arm64 --rm lightpanda/browser:nightly fetch https://example.org
❯❯❯ docker run -it --platform linux/amd64 --rm lightpanda/browser:nightly fetch https://example.org

isn't the fetch supposed to dump everything on the standard output?

redox avatar Oct 24 '25 09:10 redox

you need the --dump option :)

docker run -it --platform linux/amd64 --rm lightpanda/browser:nightly fetch --dump https://example.org

krichprollsch avatar Oct 24 '25 10:10 krichprollsch

Amazing, I confirm it works like a charm:

❯❯❯ docker run -it --platform linux/amd64 --rm lightpanda/browser:nightly fetch --dump http://example.org
<!DOCTYPE html>
<html lang="en"><head><title>Example Domain</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{background:#eee;width:60vw;margin:15vh auto;font-family:system-ui,sans-serif}h1{font-size:1.5em}div{opacity:0.8}a:link,a:visited{color:#348}</style></head><body><div><h1>Example Domain</h1><p>This domain is for use in documentation examples without needing permission. Avoid use in operations.</p><p><a href="https://iana.org/domains/example">Learn more</a></p></div></body></html>
❯❯❯ docker run -it --platform linux/arm64 --rm lightpanda/browser:nightly fetch --dump http://example.org
<!DOCTYPE html>
<html lang="en"><head><title>Example Domain</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{background:#eee;width:60vw;margin:15vh auto;font-family:system-ui,sans-serif}h1{font-size:1.5em}div{opacity:0.8}a:link,a:visited{color:#348}</style></head><body><div><h1>Example Domain</h1><p>This domain is for use in documentation examples without needing permission. Avoid use in operations.</p><p><a href="https://iana.org/domains/example">Learn more</a></p></div></body></html>

redox avatar Oct 24 '25 10:10 redox