Skip to content

Fix not being able to run tests on Electron in Ubuntu 24.04 pipelines #8914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
GytisCepk wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Fix not being able to run tests on Electron in Ubuntu 24.04 pipelines #8914

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
145571b
Use ubuntu-latest in PR validation pipeline
GytisCepk Jan 20, 2026
4017514
Try 'unconfined' profile
GytisCepk Jan 20, 2026
0621976
Try changing permissions for chrome-sandbox
GytisCepk Jan 20, 2026
f975fa5
Restore other tests
GytisCepk Jan 20, 2026
16ef34b
Clean up
GytisCepk Jan 20, 2026
1d9f7fc
Update common/config/azure-pipelines/templates/integration-test-steps…
GytisCepk Jan 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion common/config/azure-pipelines/integration-pr-validation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
- job: Node_24_x
condition: succeeded()
pool:
vmImage: ubuntu-22.04 # ubuntu-latest is 24.04, and breaks tests using sandbox
vmImage: ubuntu-latest
steps:
- checkout: self
clean: true
Expand Down
6 changes: 3 additions & 3 deletions common/config/azure-pipelines/integration-validation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
strategy:
matrix:
Linux_node_20_x:
imageName: ubuntu-22.04 # ubuntu-latest is 24.04, and breaks tests using sandbox
imageName: ubuntu-latest
Copy link
Contributor

@MichaelSwigerAtBentley MichaelSwigerAtBentley Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure we want to swap to latest and not a fixed 24.x? What if latest breaks us again in the future

poolName:
nodeVersion: 20.x
Windows_node_20_x:
Expand All @@ -34,7 +34,7 @@ jobs:
poolName: "iModelTechMacArm"
nodeVersion: 20.x
Linux_node_22_x:
imageName: ubuntu-22.04 # ubuntu-latest is 24.04, and breaks tests using sandbox
imageName: ubuntu-latest
poolName:
nodeVersion: 22.x
Windows_node_22_x:
Expand All @@ -46,7 +46,7 @@ jobs:
poolName: "iModelTechMacArm"
nodeVersion: 22.x
Linux_node_24_x:
imageName: ubuntu-22.04 # ubuntu-latest is 24.04, and breaks tests using sandbox
imageName: ubuntu-latest
poolName:
nodeVersion: 24.x
Windows_node_24_x:
Expand Down
12 changes: 12 additions & 0 deletions common/config/azure-pipelines/templates/integration-test-steps.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,18 @@ steps:
node ./common/scripts/install-run-rush webpack:test -v
displayName: "Rush build"

- script: |
SANDBOX_PATH=$(find $PWD/common/temp/node_modules/.pnpm -path "*/electron@*/node_modules/electron/dist/chrome-sandbox" 2>/dev/null | head -n 1)
if [ -f "$SANDBOX_PATH" ]; then
sudo chown root:root "$SANDBOX_PATH"
sudo chmod 4755 "$SANDBOX_PATH"
Copy link
Member

@tcobbs-bentley tcobbs-bentley Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think running chrome-sandbox as root is really bad idea. I would say that if this is the recommended solution, then the people doing the recommending are not very trustworthy.

Copy link
Member

@tcobbs-bentley tcobbs-bentley Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(But I guess it's possible that I'm missing something, and chrome-sandbox is somehow super safe to run as root. I'm dubious about that, though.)

Copy link
Member

@tcobbs-bentley tcobbs-bentley Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may be a safer fix:

https://gist.github.com/0xdeadbad/5ef3a38c8cf6efc264d9a6f11f50e5b8

Copy link
Member

@tcobbs-bentley tcobbs-bentley Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: the fix fix above is for a different program, but I think it can be adapted to work with Electron/chrome-sandbox.

Copy link
Member

@tcobbs-bentley tcobbs-bentley Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, the following command probably fixes the problem without giving root privileges to the chrome-sandbox process:

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

I believe that this puts the security back to the way it was before 24.04. That's definitely not ideal, but may be better than the current fix. Changing the 0 at the end to 1 restores the original settings.

Copy link
Contributor

@MichaelSwigerAtBentley MichaelSwigerAtBentley Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment about what this chmod enables? This is setting execute (5 - read+execute) for all users, correct?

Copy link
Member

@tcobbs-bentley tcobbs-bentley Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it is decided to leave this, then a comment explaining what it does and why it is acceptable is definitely required. The 4 at the beginning means that chrome-sandbox will execute using the user ID of the file's owner. The file was just changed to be owned by root, so what this is doing is having chrome-sandbox execute as root, with full root privileges. That seems to be the intended fix, but I find it to be very dangerous.

echo "Fixed permissions for $SANDBOX_PATH"
else
echo "##vso[task.logissue type=warning]Unable to configure chrome-sandbox permissions"
fi
displayName: "Fix Electron chrome-sandbox Permissions"
condition: and(succeededOrFailed(), eq(variables['Agent.OS'], 'Linux'))

- script: npm run test:integration
workingDirectory: "full-stack-tests/backend"
env:
Expand Down
Loading