feat(preview-service): remove SYS_ADMIN capability requirement (#2414)

* fix(preview-service): avoid SYS_ADMIN capabilities

packages/preview-service/routes/preview.js

@@ -62,11 +62,11 @@ async function getScreenshot(objectUrl, boundLogger = logger) {
     headless: shouldBeHeadless,
     userDataDir: '/tmp/puppeteer',
     executablePath: '/usr/bin/google-chrome-stable',
-    args: ['--disable-dev-shm-usage']
+    // we trust the web content that is running, so can disable the sandbox
+    // disabling the sandbox allows us to run the docker image without linux kernel privileges
+    args: ['--no-sandbox', '--disable-setuid-sandbox', '--disable-dev-shm-usage']
   }
-  // if ( process.env.PUPPETEER_SKIP_CHROMIUM_DOWNLOAD === 'true' ) {
-  //   launchParams.executablePath = 'chromium'
-  // }
+
   const browser = await puppeteer.launch(launchParams)
   const page = await browser.newPage()
 

utils/helm/speckle-server/templates/preview_service/deployment.yml

@@ -50,10 +50,8 @@ spec:
           capabilities:
             drop:
               - ALL
-            add:
-              - SYS_ADMIN #TODO remove this and replace with sec comp profile: https://stackoverflow.com/a/53975412
           privileged: false
-          # readOnlyRootFilesystem: true # this breaks chromium
+          # readOnlyRootFilesystem: true #FIXME this currently breaks chromium. Need to identify which directories should be mounted.
           runAsNonRoot: true
           runAsUser: 800
 
@@ -101,8 +99,8 @@ spec:
         fsGroup: 25000
         fsGroupChangePolicy: OnRootMismatch
         runAsGroup: 30000
-        # seccompProfile:
-        #   type: RuntimeDefault #TODO: uncomment this when we have a profile for chromium
+        seccompProfile:
+          type: RuntimeDefault
 
       # Should be > preview generation time ( 1 hour for good measure )
       terminationGracePeriodSeconds: 3600