diff --git a/packages/preview-service/routes/preview.js b/packages/preview-service/routes/preview.js index c3ec6d998..c910641a0 100644 --- a/packages/preview-service/routes/preview.js +++ b/packages/preview-service/routes/preview.js @@ -62,11 +62,11 @@ async function getScreenshot(objectUrl, boundLogger = logger) { headless: shouldBeHeadless, userDataDir: '/tmp/puppeteer', executablePath: '/usr/bin/google-chrome-stable', - args: ['--disable-dev-shm-usage'] + // we trust the web content that is running, so can disable the sandbox + // disabling the sandbox allows us to run the docker image without linux kernel privileges + args: ['--no-sandbox', '--disable-setuid-sandbox', '--disable-dev-shm-usage'] } - // if ( process.env.PUPPETEER_SKIP_CHROMIUM_DOWNLOAD === 'true' ) { - // launchParams.executablePath = 'chromium' - // } + const browser = await puppeteer.launch(launchParams) const page = await browser.newPage() diff --git a/utils/helm/speckle-server/templates/preview_service/deployment.yml b/utils/helm/speckle-server/templates/preview_service/deployment.yml index 7c3b78357..9d022d955 100644 --- a/utils/helm/speckle-server/templates/preview_service/deployment.yml +++ b/utils/helm/speckle-server/templates/preview_service/deployment.yml @@ -50,10 +50,8 @@ spec: capabilities: drop: - ALL - add: - - SYS_ADMIN #TODO remove this and replace with sec comp profile: https://stackoverflow.com/a/53975412 privileged: false - # readOnlyRootFilesystem: true # this breaks chromium + # readOnlyRootFilesystem: true #FIXME this currently breaks chromium. Need to identify which directories should be mounted. runAsNonRoot: true runAsUser: 800 @@ -101,8 +99,8 @@ spec: fsGroup: 25000 fsGroupChangePolicy: OnRootMismatch runAsGroup: 30000 - # seccompProfile: - # type: RuntimeDefault #TODO: uncomment this when we have a profile for chromium + seccompProfile: + type: RuntimeDefault # Should be > preview generation time ( 1 hour for good measure ) terminationGracePeriodSeconds: 3600