feat(go): run Chromium in Linux namespaces (#835)

Author: Proximyst

.github/workflows/docker-test.yaml

@@ -62,6 +62,10 @@ jobs:
           echo "$SECRET" > "$LPATH"
           echo "LICENSE_JWT=$LPATH" >> "$GITHUB_ENV"
 
+      - name: Enable unprivileged user namespaces
+        run: |
+          sudo sysctl kernel.unprivileged_userns_clone=1
+          sudo sysctl kernel.apparmor_restrict_unprivileged_userns=0
       - name: go test ./tests/acceptance/...
         run: go test ./tests/acceptance/... -count=1
         env:

cmd/root.go

@@ -6,6 +6,7 @@ import (
 	"log/slog"
 
 	"github.com/grafana/grafana-image-renderer/cmd/healthcheck"
+	"github.com/grafana/grafana-image-renderer/cmd/sandbox"
 	"github.com/grafana/grafana-image-renderer/cmd/server"
 	"github.com/grafana/grafana-image-renderer/pkg/config"
 	"github.com/grafana/grafana-image-renderer/pkg/service"
@@ -39,6 +40,7 @@ func NewRootCmd() *cli.Command {
 		Commands: []*cli.Command{
 			healthcheck.NewCmd(),
 			server.NewCmd(),
+			sandbox.NewCmd(),
 		},
 	}
 }

cmd/sandbox/cmd.go

@@ -0,0 +1,204 @@
+package sandbox
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"syscall"
+
+	"github.com/grafana/grafana-image-renderer/pkg/sandbox"
+	"github.com/urfave/cli/v3"
+	"go.opentelemetry.io/otel/trace"
+	libcap "kernel.org/pub/linux/libs/security/libcap/cap"
+)
+
+func NewCmd() *cli.Command {
+	return &cli.Command{
+		Name:   "_internal_sandbox",
+		Usage:  "Starts the browser in a best-effort sandbox.",
+		Hidden: true,
+		Commands: []*cli.Command{
+			{
+				Name:  "supported",
+				Usage: "Check if the current environment supports sandboxing. This is best-effort.",
+				Action: func(ctx context.Context, c *cli.Command) error {
+					if !sandbox.Supported(ctx) {
+						return fmt.Errorf("sandboxing is not supported in this environment")
+					}
+					return nil
+				},
+			},
+			{
+				Name:  "run",
+				Usage: "Run a command inside the sandbox.",
+				Flags: []cli.Flag{
+					&cli.StringSliceFlag{
+						Name:  "mount",
+						Usage: "Additional mount points to bind into the sandbox in the form of host_path:container_path(:rw)",
+						Validator: func(s []string) error {
+							for _, s := range s {
+								if _, err := parseBindMount(s); err != nil {
+									return fmt.Errorf("invalid --mount value %q: %w", s, err)
+								}
+							}
+							return nil
+						},
+					},
+					&cli.StringFlag{
+						Name:  "cwd",
+						Usage: "The working directory inside the sandbox.",
+						Value: "/tmp",
+					},
+					&cli.StringFlag{
+						Name:  "trace",
+						Usage: "The OpenTelemetry trace ID to use in logs. This does not change anything about the browser, only the sandbox's log output.",
+					},
+					&cli.StringFlag{
+						Name:     "tmp",
+						Usage:    "The directory to mount as /tmp insidee the sandbox. This is intended to be a read-write bind mount.",
+						Required: true,
+					},
+				},
+				Action: run,
+			},
+			{
+				Name:            "bootstrap",
+				Usage:           "Bootstrap the sandbox environment.",
+				SkipFlagParsing: true,
+				Action: func(ctx context.Context, c *cli.Command) error {
+					newRoot, err := os.MkdirTemp("", "")
+					if err != nil {
+						return fmt.Errorf("failed to create temp dir: %w", err)
+					}
+					defer func() { _ = os.RemoveAll(newRoot) }()
+
+					cmd := exec.CommandContext(ctx, "/proc/self/exe", append([]string{"_internal_sandbox", "run"}, c.Args().Slice()...)...)
+					cmd.Dir = newRoot
+					cmd.Stdin = os.Stdin
+					cmd.Stdout = os.Stdout
+					cmd.Stderr = os.Stderr
+					cmd.SysProcAttr = &syscall.SysProcAttr{
+						Pdeathsig:  syscall.SIGKILL,
+						Cloneflags: syscall.CLONE_NEWNS | syscall.CLONE_NEWPID | syscall.CLONE_NEWUSER,
+						UidMappings: []syscall.SysProcIDMap{
+							{
+								ContainerID: 0,
+								HostID:      os.Getuid(),
+								Size:        1,
+							},
+						},
+						GidMappings: []syscall.SysProcIDMap{
+							{
+								ContainerID: 0,
+								HostID:      os.Getgid(),
+								Size:        1,
+							},
+						},
+					}
+
+					return cmd.Run()
+				},
+			},
+		},
+	}
+}
+
+func run(ctx context.Context, c *cli.Command) error {
+	ctx, err := adoptTrace(ctx, c.String("trace"))
+	if err != nil {
+		slog.WarnContext(ctx, "failed to adopt trace", "error", err)
+	}
+
+	var bindMounts []sandbox.BindMount
+	for _, s := range c.StringSlice("mount") {
+		bm, err := parseBindMount(s)
+		if err != nil {
+			// should be unreachable, but easy to just return the error :P
+			return fmt.Errorf("invalid --mount value %q: %w", s, err)
+		}
+		bindMounts = append(bindMounts, bm)
+	}
+	bindMounts = append(bindMounts, sandbox.BindMount{
+		Source:      c.String("tmp"),
+		Destination: "/tmp",
+		ReadWrite:   true,
+	})
+
+	command := c.Args().Slice()
+	if len(command) == 0 {
+		return fmt.Errorf("no command specified to run in sandbox")
+	}
+
+	cwd, err := os.Getwd()
+	if err != nil {
+		return fmt.Errorf("failed to get current working directory: %w", err)
+	}
+
+	if err := sandbox.SetupFS(ctx, cwd, bindMounts); err != nil {
+		return fmt.Errorf("failed to setup sandbox filesystem: %w", err)
+	}
+
+	if err := shedCapabilities(); err != nil {
+		slog.WarnContext(ctx, "failed to shed capabilities", "error", err)
+	}
+
+	cmd := exec.CommandContext(ctx, command[0], command[1:]...)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	cmd.Dir = c.String("cwd")
+	if cmd.SysProcAttr == nil {
+		cmd.SysProcAttr = &syscall.SysProcAttr{}
+	}
+	cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
+
+	// TODO: Ensure this respects signals properly?
+	return cmd.Run()
+}
+
+func parseBindMount(s string) (sandbox.BindMount, error) {
+	host, container, found := strings.Cut(s, ":")
+	if !found {
+		return sandbox.BindMount{}, fmt.Errorf("invalid mount format, expected host_path:container_path(:rw)")
+	}
+	container, rw, _ := strings.Cut(container, ":")
+
+	if !filepath.IsAbs(host) {
+		return sandbox.BindMount{}, fmt.Errorf("host path must be absolute: %s", host)
+	} else if !filepath.IsAbs(container) {
+		return sandbox.BindMount{}, fmt.Errorf("container path must be absolute: %s", container)
+	} else if rw != "" && rw != "rw" {
+		return sandbox.BindMount{}, fmt.Errorf("invalid mount option (must be rw or absent): %s", rw)
+	}
+
+	return sandbox.BindMount{
+		Source:      host,
+		Destination: container,
+		ReadWrite:   rw == "rw",
+	}, nil
+}
+
+func adoptTrace(ctx context.Context, traceID string) (context.Context, error) {
+	if traceID == "" {
+		return ctx, nil
+	}
+	tid, err := trace.TraceIDFromHex(traceID)
+	if err != nil {
+		return ctx, fmt.Errorf("invalid trace ID: %w", err)
+	}
+	return trace.ContextWithRemoteSpanContext(ctx, trace.NewSpanContext(trace.SpanContextConfig{
+		TraceID: tid,
+		Remote:  true,
+	})), nil
+}
+
+func shedCapabilities() error {
+	if err := libcap.DropBound(libcap.SYS_CHROOT, libcap.SYS_ADMIN, libcap.SETPCAP); err != nil {
+		return fmt.Errorf("failed to drop capabilities: %w", err)
+	}
+	return nil
+}

cmd/server/cmd.go

@@ -3,6 +3,7 @@ package server
 import (
 	"context"
 	"fmt"
+	"log/slog"
 	"slices"
 
 	"github.com/grafana/grafana-image-renderer/pkg/api"
@@ -13,6 +14,7 @@ import (
 	"github.com/urfave/cli/v3"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/propagation"
+	"go.uber.org/automaxprocs/maxprocs"
 )
 
 func NewCmd() *cli.Command {
@@ -25,6 +27,15 @@ func NewCmd() *cli.Command {
 }
 
 func run(ctx context.Context, c *cli.Command) error {
+	_, err := maxprocs.Set(
+		// We use maxprocs over automaxprocs because we need a new minimum value.
+		// 2 is the absolute minimum we can handle, because we use multiple goroutines many places for timeouts.
+		maxprocs.Min(2),
+		maxprocs.Logger(maxProcsLog))
+	if err != nil {
+		slog.Info("failed to set GOMAXPROCS", "err", err)
+	}
+
 	serverConfig, err := config.ServerConfigFromCommand(c)
 	if err != nil {
 		return fmt.Errorf("failed to parse server config: %w", err)
@@ -61,3 +72,7 @@ func run(ctx context.Context, c *cli.Command) error {
 	}
 	return api.ListenAndServe(ctx, serverConfig, handler)
 }
+
+func maxProcsLog(format string, args ...any) {
+	slog.Debug(fmt.Sprintf(format, args...), "component", "automaxprocs")
+}

devenv/docker/go-build/docker-compose.yaml

@@ -43,13 +43,17 @@ services:
     build:
       context: ../../../
       dockerfile: go.Dockerfile
+    cap_add:
+      - CAP_SYS_ADMIN # for clone, mount, unmount, unshare,
+      - CAP_SYS_CHROOT # for chroot
     environment:
       TRACING_ENDPOINT: http://tempo:4318/v1/traces
       LOG_LEVEL: debug
     command:
       - server
       # 1 GiB
       - --rate-limit.max-available=1073741824
+      - --browser.namespaced
     ports:
       - 8081:8081
     depends_on:

go.mod

@@ -5,11 +5,11 @@ go 1.25.3
 require (
 	github.com/Masterminds/semver/v3 v3.4.0
 	github.com/chromedp/cdproto v0.0.0-20250803210736-d308e07a266d
-	github.com/chromedp/chromedp v0.14.2
 	github.com/docker/docker v28.3.3+incompatible
 	github.com/docker/go-connections v0.6.0
 	github.com/gen2brain/go-fitz v1.24.15
 	github.com/go-jose/go-jose/v4 v4.1.2
+	github.com/grafana/chromedp v0.1.0
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58
 	github.com/prometheus/client_golang v1.23.2
 	github.com/shirou/gopsutil/v4 v4.25.9
@@ -28,6 +28,7 @@ require (
 	go.uber.org/automaxprocs v1.6.0
 	golang.org/x/sync v0.17.0
 	google.golang.org/grpc v1.76.0
+	kernel.org/pub/linux/libs/security/libcap/cap v1.2.77
 )
 
 require (
@@ -101,6 +102,7 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	kernel.org/pub/linux/libs/security/libcap/psx v1.2.77 // indirect
 )
 
 tool golang.org/x/tools/cmd/goimports

go.sum

@@ -18,8 +18,6 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chromedp/cdproto v0.0.0-20250803210736-d308e07a266d h1:ZtA1sedVbEW7EW80Iz2GR3Ye6PwbJAJXjv7D74xG6HU=
 github.com/chromedp/cdproto v0.0.0-20250803210736-d308e07a266d/go.mod h1:NItd7aLkcfOA/dcMXvl8p1u+lQqioRMq/SqDp71Pb/k=
-github.com/chromedp/chromedp v0.14.2 h1:r3b/WtwM50RsBZHMUm9fsNhhzRStTHrKdr2zmwbZSzM=
-github.com/chromedp/chromedp v0.14.2/go.mod h1:rHzAv60xDE7VNy/MYtTUrYreSc0ujt2O1/C3bzctYBo=
 github.com/chromedp/sysutil v1.1.0 h1:PUFNv5EcprjqXZD9nJb9b/c9ibAbxiYo4exNWZyipwM=
 github.com/chromedp/sysutil v1.1.0/go.mod h1:WiThHUdltqCNKGc4gaU50XgYjwjYIhKWoHGPTUfWTJ8=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
@@ -77,6 +75,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grafana/chromedp v0.1.0 h1:aUTEQyZA3syEVu6dTlbQjNwltgvF7HSNwFL6255fTfM=
+github.com/grafana/chromedp v0.1.0/go.mod h1:Ub0oglYtrhtNKo31O9Cl6IxkaeM3OISlWIIbDmNHtmc=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4=
 github.com/jupiterrider/ffi v0.5.1 h1:l7ANXU+Ex33LilVa283HNaf/sTzCrrht7D05k6T6nlc=
@@ -270,3 +270,7 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+kernel.org/pub/linux/libs/security/libcap/cap v1.2.77 h1:iQtQTjFUOcTT19fI8sTCzYXsjeVs56et3D8AbKS2Uks=
+kernel.org/pub/linux/libs/security/libcap/cap v1.2.77/go.mod h1:oV+IO8kGh0B7TxErbydDe2+BRmi9g/W0CkpVV+QBTJU=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.77 h1:Z06sMOzc0GNCwp6efaVrIrz4ywGJ1v+DP0pjVkOfDuA=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.77/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=

main.go

@@ -3,14 +3,12 @@ package main
 import (
 	"context"
 	"errors"
-	"fmt"
 	"log/slog"
 	"os"
 	"os/signal"
 	"syscall"
 
 	"github.com/grafana/grafana-image-renderer/cmd"
-	"go.uber.org/automaxprocs/maxprocs"
 )
 
 func main() {
@@ -21,15 +19,6 @@ func run(args []string) int {
 	// Until the command actually does some work to parse log level and whatnot, we will log everything in logfmt format for DEBUG level.
 	slog.SetDefault(slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{AddSource: true, Level: slog.LevelDebug})))
 
-	_, err := maxprocs.Set(
-		// We use maxprocs over automaxprocs because we need a new minimum value.
-		// 2 is the absolute minimum we can handle, because we use multiple goroutines many places for timeouts.
-		maxprocs.Min(2),
-		maxprocs.Logger(maxProcsLog))
-	if err != nil {
-		slog.Info("failed to set GOMAXPROCS", "err", err)
-	}
-
 	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	defer cancel()
 
@@ -40,7 +29,3 @@ func run(args []string) int {
 
 	return 0
 }
-
-func maxProcsLog(format string, args ...interface{}) {
-	slog.Info(fmt.Sprintf(format, args...), "component", "automaxprocs")
-}