From 69757fba61abbf0b66cdbf2dc8b5d83f56d6f6cb Mon Sep 17 00:00:00 2001
From: Iain Sproat <68657+iainsproat@users.noreply.github.com>
Date: Thu, 20 Jun 2024 14:33:26 +0100
Subject: [PATCH] feat(preview-service): remove SYS_ADMIN capability
 requirement (#2414)

* fix(preview-service): avoid SYS_ADMIN capabilities
---
 packages/preview-service/routes/preview.js                | 8 ++++----
 .../templates/preview_service/deployment.yml              | 8 +++-----
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/packages/preview-service/routes/preview.js b/packages/preview-service/routes/preview.js
index c3ec6d9987..c910641a0d 100644
--- a/packages/preview-service/routes/preview.js
+++ b/packages/preview-service/routes/preview.js
@@ -62,11 +62,11 @@ async function getScreenshot(objectUrl, boundLogger = logger) {
     headless: shouldBeHeadless,
     userDataDir: '/tmp/puppeteer',
     executablePath: '/usr/bin/google-chrome-stable',
-    args: ['--disable-dev-shm-usage']
+    // we trust the web content that is running, so can disable the sandbox
+    // disabling the sandbox allows us to run the docker image without linux kernel privileges
+    args: ['--no-sandbox', '--disable-setuid-sandbox', '--disable-dev-shm-usage']
   }
-  // if ( process.env.PUPPETEER_SKIP_CHROMIUM_DOWNLOAD === 'true' ) {
-  //   launchParams.executablePath = 'chromium'
-  // }
+
   const browser = await puppeteer.launch(launchParams)
   const page = await browser.newPage()
 
diff --git a/utils/helm/speckle-server/templates/preview_service/deployment.yml b/utils/helm/speckle-server/templates/preview_service/deployment.yml
index 7c3b783573..9d022d955b 100644
--- a/utils/helm/speckle-server/templates/preview_service/deployment.yml
+++ b/utils/helm/speckle-server/templates/preview_service/deployment.yml
@@ -50,10 +50,8 @@ spec:
           capabilities:
             drop:
               - ALL
-            add:
-              - SYS_ADMIN #TODO remove this and replace with sec comp profile: https://stackoverflow.com/a/53975412
           privileged: false
-          # readOnlyRootFilesystem: true # this breaks chromium
+          # readOnlyRootFilesystem: true #FIXME this currently breaks chromium. Need to identify which directories should be mounted.
           runAsNonRoot: true
           runAsUser: 800
 
@@ -101,8 +99,8 @@ spec:
         fsGroup: 25000
         fsGroupChangePolicy: OnRootMismatch
         runAsGroup: 30000
-        # seccompProfile:
-        #   type: RuntimeDefault #TODO: uncomment this when we have a profile for chromium
+        seccompProfile:
+          type: RuntimeDefault
 
       # Should be > preview generation time ( 1 hour for good measure )
       terminationGracePeriodSeconds: 3600