Skip to content

gvisor: Sandbox unexpectedly exited #1563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 of 2 tasks
cruftex opened this issue Apr 17, 2025 · 5 comments
Open
1 of 2 tasks

gvisor: Sandbox unexpectedly exited #1563

cruftex opened this issue Apr 17, 2025 · 5 comments

Comments

@cruftex
Copy link

cruftex commented Apr 17, 2025
edited
Loading

Describe the current behavior

I am trying to enable gvisor sandbox on a self hosted environment.

I see the following warning in my log message:

grist-1  | 2025-04-17 05:14:22.842 - warn: Sandbox unexpectedly exited with code 0 signal null sandboxPid=83, flavor=gvisor, command=undefined, entryPoint=(default)

However, the startup continues normally.

Is the sandbox active?
Should this be disregarded?
If the sandbox is not active: Shouldn't this be a hard error, if the sandbox cannot be established, but requested?

Here is the complete beginning of the startup log:

grist-1  | Running Grist as user 1001 with primary group 1001
grist-1  | gvisor check ok (flags: -unprivileged -ignore-cgroups)
grist-1  | 2025-04-17 05:14:20.839 - debug: 3-pipe Sandbox started sandboxPid=83, flavor=gvisor, command=undefined, entryPoint=(default)
grist-1  | 2025-04-17 05:14:20.897 - info: Sandbox stderr: run.py: sandbox/gvisor/run.py -E PYTHONPATH=/grist/sandbox/grist -E PIPE_MODE=minimal -m /grist/sandbox --checkpoint /tmp/engine__grist python3 -- /grist/sandbox/grist/main.py sandboxPid=83, flavor=gvisor, command=undefined, entryPoint=(default)
grist-1  | 2025-04-17 05:14:22.582 - info: Sandbox stderr: Ready message: [INFO] [__main__] Ready sandboxPid=83, flavor=gvisor, command=undefined, entryPoint=(default)
grist-1  | 2025-04-17 05:14:22.842 - warn: Sandbox unexpectedly exited with code 0 signal null sandboxPid=83, flavor=gvisor, command=undefined, entryPoint=(default)
grist-1  | Welcome to Grist.
grist-1  | In quiet mode, see http://localhost:8484 to use.
grist-1  | For full logs, re-run with DEBUG=1
grist-1  | Setting up database...
grist-1  | Database setup complete.
grist-1  | 2025-04-17 05:14:25.133 - info: Loading config file from /persist/config.json
grist-1  | 2025-04-17 05:14:25.136 - info: == Grist version is 1.5.1 (commit unknown)
. . .

Steps to reproduce

docker compose up

Describe the expected behavior

No warning.

Where have you encountered this bug?

Instance information (when self-hosting only)

  • Grist instance:
    • Version: 1.5.1
    • URL (if it's OK for you to share it): -
    • Installation mode: docker
    • Architecture: ? single-worker/multi-workers
    • Arm 64 CPU
    • Ubuntu 22.04
    • root less docker
@cruftex
Copy link
Author

cruftex commented Apr 28, 2025
edited
Loading

Maybe it does not run correctly on the ARM CPU, however, it says gvisor check ok

@paulfitz
Copy link
Member

When Grist starts up, it makes a sandbox instance, loads a bunch of code into it, makes a checkpoint, and then copies that checkpoint when it actually needs any sandboxes. This shaves off maybe half a second of startup time. When working with this initial sandbox, there is an ugly message that we really should clean up, I'm sorry about it. If in your admin panel the sandbox check is showing green, then gvisor is passing a self check.

@cruftex
Copy link
Author

cruftex commented May 5, 2025

@paulfitz
Thanks for the response! Meanwhile I found out that gvisor is not working because of virtualization my cloud provider is using. On bare metal it seems to work. Some remarks:

Maybe its worth exploring other techniques to isolate workspaces, e.g. docker in docker.

Since this is a security setting. I think Grist should not continue if the sandbox does not come up. So I advise converting the issue to a bug and improve the behavior in this case.

@paulfitz
Copy link
Member

paulfitz commented May 5, 2025

@cruftex was the admin panel showing green for gvisor when it was not in fact working? That's serious.

What is your cloud provider? If you have some control over capabilities, check the PTRACE capability.
https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents

There are alternatives to gvisor. The easiest to deploy is pyodide. setting GRIST_SANDBOX_FLAVOR=pyodide should suffice to activate. It adds some extra start-up time relative to gvisor. I don't think anyone has made docker in docker work, but there is a docker sandbox flavor. You'd need to do a lot of work to secure it though I'd expect.

@cruftex
Copy link
Author

cruftex commented May 6, 2025

@paulfitz

was the admin panel showing green for gvisor when it was not in fact working? That's serious.

No, in the admin panel it showed correctly.

My problem is with the confusing messaging at startup. It should be more explicit that Gvisor is not available and, if I specify Gvisor and its not working, it would be actually best not to continue, since the specified security level is not met.

Thanks for the hint about the alternative sandboxing settings. I did not know there are alternatives to Gvisor available.
Is that documented somewhere or a standard feature of Python?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paulfitz @cruftex