Use --disable-setuid-sandbox instead of --no-sandbox on Linux CI

linesight · claude · linesight · commit fb56b047d5fd · 2026-04-21T00:34:39.000-07:00
--no-sandbox in CEF 146 no-sandbox mode skips the infrastructure that
registers the Mojo IPC bootstrap fd (global descriptor key 7) for child
processes, causing all subprocesses to crash with "Failed global descriptor
lookup: 7". Previous workarounds (--single-process, --no-zygote, in-process
services) eliminated subprocess spawns but --single-process introduced a
new deadlock with CEF's external pump mode.

Fix: drop --no-sandbox and use --disable-setuid-sandbox instead. This
tells Chrome to skip the setuid helper binary (not shipped) and fall back
to the user-namespace sandbox, which correctly sets up the Mojo IPC fd
for every subprocess. User namespaces are available on GitHub Actions
Ubuntu 24.04 runners.

Also revert the short-lived async CreateBrowser() pump-loop hack which is
no longer needed.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/cefpython.pyx b/src/cefpython.pyx
@@ -806,36 +806,11 @@ def CreateBrowserSync(windowInfo=None,
     cdef CefRefPtr[CefDictionaryValue] extra_info
 
     # CEF browser creation.
-    IF UNAME_SYSNAME == "Linux":
-        # CefBrowserHost::CreateBrowserSync() deadlocks when combined with
-        # --single-process + external pump mode (CefDoMessageLoopWork). The
-        # nested RunLoop it creates cannot drive the in-process renderer
-        # thread initialisation. Use async CreateBrowser() and keep pumping
-        # the message loop until OnAfterCreated fires and populates
-        # g_pyBrowsers, then retrieve the CefBrowser ref from there.
-        cdef set _before_browser_ids = set(g_pyBrowsers.keys())
-        cef_browser_static.CreateBrowser(
+    with nogil:
+        cefBrowser = cef_browser_static.CreateBrowserSync(
                 cefWindowInfo, <CefRefPtr[CefClient]?>clientHandler,
                 cefNavigateUrl, cefBrowserSettings, extra_info,
                 cefRequestContext)
-        cdef PyBrowser _linux_pyBrowser = None
-        cdef int _i
-        for _i in range(6000):  # up to 60 s at 0.01 s/iter
-            with nogil:
-                CefDoMessageLoopWork()
-            _new_browser_ids = set(g_pyBrowsers.keys()) - _before_browser_ids
-            if _new_browser_ids:
-                _linux_pyBrowser = GetPyBrowserById(min(_new_browser_ids))
-                if _linux_pyBrowser is not None:
-                    cefBrowser = _linux_pyBrowser.cefBrowser
-                break
-            time.sleep(0.01)
-    ELSE:
-        with nogil:
-            cefBrowser = cef_browser_static.CreateBrowserSync(
-                    cefWindowInfo, <CefRefPtr[CefClient]?>clientHandler,
-                    cefNavigateUrl, cefBrowserSettings, extra_info,
-                    cefRequestContext)
 
     if not cefBrowser or not cefBrowser.get():
         Debug("CefBrowser::CreateBrowserSync() failed")
diff --git a/unittests/main_test.py b/unittests/main_test.py
@@ -144,27 +144,20 @@ def test_main(self):
         # Chrome 130+ blocks window.open() called without a user gesture.
         switches = {"disable-popup-blocking": ""}
         if LINUX:
-            # Sandbox setup (user-namespace) fails on CI runners.
-            switches["no-sandbox"] = ""
+            # Disable the setuid sandbox helper (not shipped in our package)
+            # so that Chrome falls back to the user-namespace sandbox, which
+            # correctly passes the Mojo IPC bootstrap fd to subprocesses.
+            switches["disable-setuid-sandbox"] = ""
             # /dev/shm is too small in CI containers.
             switches["disable-dev-shm-usage"] = ""
             # GPU acceleration is not available under xvfb.
             switches["disable-gpu"] = ""
             switches["disable-gpu-compositing"] = ""
             # Run GPU process inside the browser process so it is not
-            # spawned during CefInitialize() where it would fail the
-            # global descriptor lookup (key 7) and block OnContextInitialized.
+            # spawned during CefInitialize() where it would fail.
             switches["in-process-gpu"] = ""
-            # Run the renderer inside the browser process. Without this,
-            # the renderer subprocess fails the global descriptor lookup
-            # (key 7, the Mojo IPC bootstrap fd) because CEF 146 does not
-            # pass it in --no-sandbox mode; CEF then waits ~60s before
-            # CreateBrowserSync() returns None.
-            switches["single-process"] = ""
-            switches["no-zygote"] = ""
-            # Run utility services in-process so they don't need the Mojo
-            # bootstrap fd (global descriptor 7) that CEF 146 does not pass
-            # to subprocesses in --no-sandbox mode on Linux CI.
+            # Run utility services in-process so they don't each need a
+            # separate subprocess (reduces spawn overhead on CI).
             switches["disable-features"] = "StorageServiceOutOfProcess"
             switches["enable-features"] = "NetworkServiceInProcess"
         cef.Initialize(settings, switches=switches)
diff --git a/unittests/osr_test.py b/unittests/osr_test.py
@@ -113,24 +113,17 @@ def test_osr(self):
             "disable-surfaces": "",  # This is required for PDF ext to work
         }
         if LINUX:
-            # Sandbox setup fails on CI runners.
-            switches["no-sandbox"] = ""
+            # Disable the setuid sandbox helper (not shipped in our package)
+            # so that Chrome falls back to the user-namespace sandbox, which
+            # correctly passes the Mojo IPC bootstrap fd to subprocesses.
+            switches["disable-setuid-sandbox"] = ""
             # /dev/shm is too small in CI containers.
             switches["disable-dev-shm-usage"] = ""
             # Run GPU process inside the browser process so it is not
-            # spawned during CefInitialize() where it would fail the
-            # global descriptor lookup (key 7) and block OnContextInitialized.
+            # spawned during CefInitialize() where it would fail.
             switches["in-process-gpu"] = ""
-            # Run the renderer inside the browser process. Without this,
-            # the renderer subprocess fails the global descriptor lookup
-            # (key 7, the Mojo IPC bootstrap fd) because CEF 146 does not
-            # pass it in --no-sandbox mode; CEF then waits ~60s before
-            # CreateBrowserSync() returns None.
-            switches["single-process"] = ""
-            switches["no-zygote"] = ""
-            # Run utility services in-process so they don't need the Mojo
-            # bootstrap fd (global descriptor 7) that CEF 146 does not pass
-            # to subprocesses in --no-sandbox mode on Linux CI.
+            # Run utility services in-process so they don't each need a
+            # separate subprocess (reduces spawn overhead on CI).
             switches["disable-features"] = "StorageServiceOutOfProcess"
             switches["enable-features"] = "NetworkServiceInProcess"
         browser_settings = {
