astral icon indicating copy to clipboard operation
astral copied to clipboard
verified publisher icon lino-levan

discussion: Should `--no-sandbox` be enabled by default in AppArmor environments?

Open lino-levan opened this issue 8 months ago • 2 comments

See for context: https://github.com/denoland/fresh/pull/2901#discussion_r2084071374

Perhaps the best default is not just rolling over and failing, but booting with --no-sandbox with a big warning message.

lino-levan avatar May 12 '25 16:05 lino-levan

I'm thinking it might be a good default in CI, but that doesn't address the underlying issue in the fresh case.

lino-levan avatar May 12 '25 18:05 lino-levan

I think astral should indeed add it by default when CI/GITHUB_ACTIONS env is set

On the default github runner (ubuntu-latest) I'm getting errors for it:

 [2195:2195:0530/070737.422919:FATAL:zygote_host_impl_linux.cc(126)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

[0530/070737.436133:ERROR:file_io_posix.cc(145)] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq: No such file or directory (2)
[0530/070737.436187:ERROR:file_io_posix.cc(145)] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq: No such file or directory (2)

lowlighter avatar May 30 '25 16:05 lowlighter