chromium in unbuntu latest is not installed from snap and therefore it's not possible to run it

[gusega]

Description

Hi azure team,

In azure devops pipelines on ubuntu: 24.04.2 image version: 20250420.1.0

chromium is not installed from snap and therefore it's not possible to start it.

Way to reproduce:

bash: |
  chromium

see more details here: https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md

Workaround

bash: |
  sudo snap install chromium

google-chrome works fine.

Thanks

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 22.04
• Ubuntu 24.04
• macOS 13
• macOS 13 Arm64
• macOS 14
• macOS 14 Arm64
• macOS 15
• macOS 15 Arm64
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025

Image version and build link

20250420.1.0

Is it regression?

no

Expected behavior

chromium works

Actual behavior

it does not

[2007:2007:0425/163136.680338:FATAL:zygote_host_impl_linux.cc(132)] No usable sandbox! If you are running on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor, see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md. Otherwise see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the (older) SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
#0 0x55c9861580d2 base::debug::CollectStackTrace()
#1 0x55c98614526e base::debug::StackTrace::StackTrace()
#2 0x55c98609839a logging::LogMessage::Flush()
#3 0x55c986098e99 logging::LogMessageFatal::~LogMessageFatal()
#4 0x55c98412fd6e content::ZygoteHostImpl::Init()
#5 0x55c9853c006c content::ContentMainRunnerImpl::Initialize()
#6 0x55c9853bdf7c content::RunContentProcess()
#7 0x55c9853be357 content::ContentMain()
#8 0x55c980da6385 ChromeMain
#9 0x7f0047a2a1ca (/usr/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#10 0x7f0047a2a28b __libc_start_main
#11 0x55c980da602a _start

Repro steps

azure devops pipeline with:

bash: |
  chromium

[kishorekumar-anchala]

Hi @gusega , Thank you for bringing this issue to our attention. We will look into this issue and will update you after investigating

[ChinHairSaintClair]

We're encountering this issue when running Chrome in headless mode via Karma on the Ubuntu 22.04 runner image.

A couple of workarounds are documented in Chrome's AppArmor userns restrictions guide. One of them involves falling back to the setuid sandbox helper (chrome-sandbox), if it's available and properly configured.

However, this binary doesn't appear to be present or configured in the current runner image. As far as I understand, since these runners likely don't allow modifying AppArmor profiles or kernel settings, we're unable to install and set the required permissions ourselves.

Would it be possible to include the setuid sandbox helper as part of the image, so headless Chrome can run securely without relying on --no-sandbox in environments where user namespaces are restricted?

I'm still learning about these system-level constraints and CI internals, so please let me know if I've misunderstood anything or if additional logs would be helpful.

[ChinHairSaintClair]

@kishorekumar-anchala I managed to get our tests running again, though the solution feels a bit hacky.

Confirm the OS version

lsb_release -a

Distributor ID: Ubuntu
Description: Ubuntu 24.04.2 LTS
Release: 24.04
Codename: noble

Locate Chromium

which chromium

/usr/bin/chromium

This was a bit surprising because Chrome's AppArmor docs indicates that Ubuntu's Chromium is packaged as a snap:

Ubuntu's packaged version of Chromium is a snap package, and snap generates an AppArmor profile at runtime that allows usage of user namespaces.

Inspect path

The binary at that path turned out to be a symlink:

ls -l /usr/bin/chromium

lrwxrwxrwx 1 root root 45 Apr 20 21:24 /usr/bin/chromium -> /usr/local/share/chromium/chrome-linux/chrome

Verify presence of the Sandbox

ls -l /usr/local/share/chromium/chrome-linux/

-rwxr-xr-x 1 root root 351856 Mar 3 19:21 chrome_sandbox

Fix

Following Chromium's suid sandbox documentation and this Ask Ubuntu thread, we did the following:

# Rename the sandbox file
sudo mv /usr/local/share/chromium/chrome-linux/chrome_sandbox /usr/local/share/chromium/chrome-linux/chrome-sandbox

# We have     "-rwxr-xr-x"
# But we need "-rwsr-xr-x"
# Adjust permissions (note the 's' in place of the 'x'). 
sudo chmod 4755 /usr/local/share/chromium/chrome-linux/chrome-sandbox

# Confirm
ls -l /usr/local/share/chromium/chrome-linux/chrome-sandbox

-rwsr-xr-x 1 root root 351856 Mar 3 19:21 chrome-sandbox

I hope this helps shed some light on how to address the issue.

[hemanthmanga]

Hi @gusega, @ChinHairSaintClair, Thank you for your insights. The issue is currently under investigation, and we will provide an update shortly.