do not use --no-sandbox in containers

thawn · thawn · commit b7635c9dd43b · 2026-01-05T01:12:48.000+01:00
also Remove container detection logic from print_handler and related tests
diff --git a/src/ttmp32gme/print_handler.py b/src/ttmp32gme/print_handler.py
@@ -19,30 +19,6 @@
 logger = logging.getLogger(__name__)
 
 
-def is_running_in_container() -> bool:
-    """Check if the application is running inside a container (Docker/Podman).
-
-    Returns:
-        True if running in a container, False otherwise
-    """
-    # Check for .dockerenv file (Docker)
-    if Path("/.dockerenv").exists():
-        return True
-
-    # Check /proc/1/cgroup for container runtime indicators
-    try:
-        with open("/proc/1/cgroup", "r") as f:
-            content = f.read()
-            # Look for docker, containerd, or other container runtimes
-            if "docker" in content or "containerd" in content or "lxc" in content:
-                return True
-    except (FileNotFoundError, PermissionError):
-        # /proc/1/cgroup doesn't exist or can't be read (not Linux or no permissions)
-        pass
-
-    return False
-
-
 def format_tracks(
     album: Dict[str, Any], oid_map: Dict[str, Dict[str, int]], db_handler: DBHandler
 ) -> str:
@@ -320,14 +296,6 @@ def create_pdf(
         f"http://localhost:{port}/pdf",
     ]
 
-    # Add --no-sandbox flag when running in containers (Docker/Podman)
-    # This is necessary because containers typically don't have the required
-    # Linux capabilities for Chromium's sandbox to work
-    if is_running_in_container():
-        # Insert after chromium path (first element) but before other args
-        args.insert(1, "--no-sandbox")
-        logger.debug("Running in container, adding --no-sandbox flag to Chromium")
-
     logger.info(f"Creating PDF with {found_name}: {' '.join(args)}")
 
     try:
diff --git a/tests/unit/test_print_handler.py b/tests/unit/test_print_handler.py
@@ -3,7 +3,7 @@
 import sqlite3
 import tempfile
 from pathlib import Path
-from unittest.mock import MagicMock, Mock, mock_open, patch
+from unittest.mock import MagicMock, Mock, patch
 
 import pytest
 
@@ -17,7 +17,6 @@
     format_print_button,
     format_track_control,
     format_tracks,
-    is_running_in_container,
 )
 
 
@@ -408,96 +407,6 @@ def test_create_pdf_tries_multiple_names(
             assert result == pdf_file
             assert mock_popen.called
 
-    @patch("ttmp32gme.print_handler.is_running_in_container")
-    @patch("ttmp32gme.print_handler.time.sleep")
-    @patch("ttmp32gme.print_handler.get_executable_path")
-    @patch("ttmp32gme.print_handler.subprocess.Popen")
-    @patch("ttmp32gme.print_handler.tempfile.mkstemp")
-    @patch("ttmp32gme.print_handler.os.close")
-    def test_create_pdf_in_container_adds_no_sandbox(
-        self,
-        mock_os_close,
-        mock_mkstemp,
-        mock_popen,
-        mock_get_exec,
-        mock_sleep,
-        mock_is_container,
-    ):
-        """Test PDF creation adds --no-sandbox flag when running in container."""
-        chromium_path = "/usr/bin/chromium"
-        mock_get_exec.return_value = chromium_path
-        mock_is_container.return_value = True  # Simulate running in container
-
-        # Mock the process - poll() returns None (still running)
-        mock_process = MagicMock()
-        mock_process.poll.return_value = None
-        mock_process.stderr.read.return_value = ""  # No errors in stderr
-        mock_popen.return_value = mock_process
-
-        with tempfile.TemporaryDirectory() as tmpdir:
-            # Mock tempfile.mkstemp to return a path in our temp directory
-            pdf_file = Path(tmpdir) / "ttmp32gme_print_test.pdf"
-            mock_mkstemp.return_value = (999, str(pdf_file))
-
-            # Create the PDF file so the function succeeds
-            pdf_file.write_text("fake pdf content")
-
-            result = create_pdf(10020)
-
-            assert result is not None
-            assert result == pdf_file
-            assert mock_popen.called
-
-            # Verify --no-sandbox flag is present in arguments
-            call_args = mock_popen.call_args[0][0]
-            assert "--no-sandbox" in call_args
-            # Verify it's positioned right after chromium path
-            chromium_index = call_args.index(chromium_path)
-            assert call_args[chromium_index + 1] == "--no-sandbox"
-
-    @patch("ttmp32gme.print_handler.is_running_in_container")
-    @patch("ttmp32gme.print_handler.time.sleep")
-    @patch("ttmp32gme.print_handler.get_executable_path")
-    @patch("ttmp32gme.print_handler.subprocess.Popen")
-    @patch("ttmp32gme.print_handler.tempfile.mkstemp")
-    @patch("ttmp32gme.print_handler.os.close")
-    def test_create_pdf_not_in_container_no_sandbox_flag(
-        self,
-        mock_os_close,
-        mock_mkstemp,
-        mock_popen,
-        mock_get_exec,
-        mock_sleep,
-        mock_is_container,
-    ):
-        """Test PDF creation does NOT add --no-sandbox flag when not in container."""
-        mock_get_exec.return_value = "/usr/bin/chromium"
-        mock_is_container.return_value = False  # Simulate NOT running in container
-
-        # Mock the process - poll() returns None (still running)
-        mock_process = MagicMock()
-        mock_process.poll.return_value = None
-        mock_process.stderr.read.return_value = ""  # No errors in stderr
-        mock_popen.return_value = mock_process
-
-        with tempfile.TemporaryDirectory() as tmpdir:
-            # Mock tempfile.mkstemp to return a path in our temp directory
-            pdf_file = Path(tmpdir) / "ttmp32gme_print_test.pdf"
-            mock_mkstemp.return_value = (999, str(pdf_file))
-
-            # Create the PDF file so the function succeeds
-            pdf_file.write_text("fake pdf content")
-
-            result = create_pdf(10020)
-
-            assert result is not None
-            assert result == pdf_file
-            assert mock_popen.called
-
-            # Verify --no-sandbox flag is NOT present in arguments
-            call_args = mock_popen.call_args[0][0]
-            assert "--no-sandbox" not in call_args
-
 
 class TestFormatPrintButton:
     """Test format_print_button function."""
@@ -535,98 +444,3 @@ def test_format_print_button_linux_with_chromium(self, mock_get_exec, mock_syste
 
         assert "Print This Page</button>" in result
         assert "Save as PDF</button>" in result
-
-
-class TestIsRunningInContainer:
-    """Test is_running_in_container function."""
-
-    @patch("ttmp32gme.print_handler.Path")
-    def test_dockerenv_exists(self, mock_path):
-        """Test container detection when .dockerenv file exists."""
-        mock_dockerenv = Mock()
-        mock_dockerenv.exists.return_value = True
-        mock_path.return_value = mock_dockerenv
-
-        result = is_running_in_container()
-
-        assert result is True
-        mock_path.assert_called_once_with("/.dockerenv")
-
-    @patch("builtins.open", new_callable=mock_open, read_data="12:pids:/docker/abc123")
-    @patch("ttmp32gme.print_handler.Path")
-    def test_docker_in_cgroup(self, mock_path, mock_file):
-        """Test container detection from /proc/1/cgroup with docker."""
-        mock_dockerenv = Mock()
-        mock_dockerenv.exists.return_value = False
-        mock_path.return_value = mock_dockerenv
-
-        result = is_running_in_container()
-
-        assert result is True
-        mock_file.assert_called_once_with("/proc/1/cgroup", "r")
-
-    @patch(
-        "builtins.open",
-        new_callable=mock_open,
-        read_data="12:pids:/system.slice/containerd.service",
-    )
-    @patch("ttmp32gme.print_handler.Path")
-    def test_containerd_in_cgroup(self, mock_path, mock_file):
-        """Test container detection from /proc/1/cgroup with containerd."""
-        mock_dockerenv = Mock()
-        mock_dockerenv.exists.return_value = False
-        mock_path.return_value = mock_dockerenv
-
-        result = is_running_in_container()
-
-        assert result is True
-
-    @patch(
-        "builtins.open", new_callable=mock_open, read_data="12:pids:/lxc/container123"
-    )
-    @patch("ttmp32gme.print_handler.Path")
-    def test_lxc_in_cgroup(self, mock_path, mock_file):
-        """Test container detection from /proc/1/cgroup with lxc."""
-        mock_dockerenv = Mock()
-        mock_dockerenv.exists.return_value = False
-        mock_path.return_value = mock_dockerenv
-
-        result = is_running_in_container()
-
-        assert result is True
-
-    @patch("builtins.open", new_callable=mock_open, read_data="12:pids:/init.scope")
-    @patch("ttmp32gme.print_handler.Path")
-    def test_not_in_container(self, mock_path, mock_file):
-        """Test container detection returns False on normal system."""
-        mock_dockerenv = Mock()
-        mock_dockerenv.exists.return_value = False
-        mock_path.return_value = mock_dockerenv
-
-        result = is_running_in_container()
-
-        assert result is False
-
-    @patch("builtins.open", side_effect=FileNotFoundError())
-    @patch("ttmp32gme.print_handler.Path")
-    def test_cgroup_not_found(self, mock_path, mock_file):
-        """Test container detection when /proc/1/cgroup doesn't exist."""
-        mock_dockerenv = Mock()
-        mock_dockerenv.exists.return_value = False
-        mock_path.return_value = mock_dockerenv
-
-        result = is_running_in_container()
-
-        assert result is False
-
-    @patch("builtins.open", side_effect=PermissionError())
-    @patch("ttmp32gme.print_handler.Path")
-    def test_cgroup_permission_error(self, mock_path, mock_file):
-        """Test container detection when /proc/1/cgroup can't be read."""
-        mock_dockerenv = Mock()
-        mock_dockerenv.exists.return_value = False
-        mock_path.return_value = mock_dockerenv
-
-        result = is_running_in_container()
-
-        assert result is False
