How to get sandbox working in grist core?

GrittingGrister · July 29, 2023, 12:01am

Hi there!
So I think it’s finally time to get sandbox working as I intend on using Grist full time for all excel needs, in addition to potentially sharing a few sheets with whomever to share data with them. With that in mind, someone who is not me having access to sheets, with un-sandboxed python might not be the brightest idea.
My server is hosted a Proxmox VM running debian 11:

Another VM is running Caddy where everything is reverse proxied to this machine. The specific section of the Caddyfile for Grist looks like this:

grist.xxxx.org {
        reverse_proxy 192.168.0.xxx:8484
        encode gzip zstd
}

This is my docker-compose.yml:

version: '3'

services:
  grist:
    image: gristlabs/grist
    restart: unless-stopped
    environment:
      - GRIST_SANDBOX_FLAVOR=gvisor
      - GRIST_DEFAULT_EMAIL=admin@xxxx.icu
      - APP_HOME_URL=https://grist.xxxx.org
      - GRIST_FORCE_LOGIN=true
      - GRIST_SAML_SP_HOST=https://grist.xxxx.org # Auth0 used for authentication
      - GRIST_SAML_IDP_UNENCRYPTED=1
      - GRIST_SAML_IDP_LOGIN=https://xxxx.eu.auth0.com/samlp/xxxxxx
      - GRIST_SAML_IDP_LOGOUT=https://xxxx.eu.auth0.com/samlp/xxxxxxx
      - GRIST_SAML_IDP_CERTS=/persist/xxxx.pem
      - GRIST_SAML_SP_KEY=/persist/xxxx_pkey.pem
      - GRIST_SAML_SP_CERT=/persist/xxxx_certificate.crt
    ports:
      - 8484:8484
    volumes:
      - ./persist:/persist
    stdin_open: true
    tty: true

If I run it without sandbox it works just fine. I have tried adding variables “GRIST_WIDGET_LIST_URL” and “GRIST_SESSION_SECRET” but honestly didn’t see or notice anything change on the instance, either in logs or on the website.
I’d love to have more widgets so I will want to figure out the variable “GRIST_WIDGET_LIST_URL” as well at some point. I am hoping the sandbox issue is the same reason the list URL variable isn’t working.

Here is the complete docker-compose logs with the above docker-compose.yml (And the variable DEBUG=1 added). Only thing hidden is domain.

Click me to show log

grist_1  | Welcome to Grist.
grist_1  | 2023-07-28 23:43:47.371 - info: == Grist version is 1.1.0 (commit unknown)
grist_1  | 2023-07-28 23:43:47.378 - debug: skipping incomplete language fa (set GRIST_OFFER_ALL_LANGUAGES if you want it)
grist_1  | 2023-07-28 23:43:47.390 - info: Loading empty config because /persist/config.json missing
grist_1  | 2023-07-28 23:43:47.391 - info: SamlConfig set with host https://grist.xxxx.org, IdP https://xxxx.eu.auth0.com/samlp/b9JdI6JBUqn9CNNYnetSYMf86DwVuk2O
grist_1  | 2023-07-28 23:43:47.397 - warn: did not find an appropriately named example workspace in deployment
grist_1  | 2023-07-28 23:43:47.399 - info: No plugins directory: ENOENT: no such file or directory, scandir '/grist/.grist/plugins'
grist_1  | 2023-07-28 23:43:47.402 - info: Found 1 valid plugins on the system
grist_1  | 2023-07-28 23:43:47.403 - debug: PLUGIN builtIn/core -- /grist/plugins/core
grist_1  | 2023-07-28 23:43:47.407 - info: Server timeouts: keepAliveTimeout 305000 headersTimeout 306000
grist_1  | 2023-07-28 23:43:47.408 - info: server(home,docs,static) available at 0.0.0.0:8484
grist_1  | 2023-07-28 23:43:47.416 - warn: Failed to create GoogleAuth endpoint: GOOGLE_CLIENT_SECRET is not defined
grist_1  | 2023-07-28 23:43:47.419 - info: == appRoot: /grist
grist_1  | 2023-07-28 23:43:47.419 - info: == i18:namespace: client,server
grist_1  | 2023-07-28 23:43:47.419 - info: == docsRoot: /persist/docs
grist_1  | 2023-07-28 23:43:47.419 - info: == defaultBaseDomain: grist.xxxx.org
grist_1  | 2023-07-28 23:43:47.419 - info: == pluginUrl: undefined
grist_1  | 2023-07-28 23:43:47.419 - info: == instanceRoot: /persist
grist_1  | 2023-07-28 23:43:47.419 - info: == tag: unknown
grist_1  | 2023-07-28 23:43:47.419 - info: == database: sqlite:///persist/home.sqlite3
grist_1  | 2023-07-28 23:43:47.420 - info: == userRoot: /grist/.grist
grist_1  | 2023-07-28 23:43:47.420 - info: == loginMiddlewareComment: saml
grist_1  | 2023-07-28 23:43:47.420 - info: == docWorkerId: testDocWorkerId_8484
grist_1  | 2023-07-28 23:43:47.420 - info: == grist.access.supportEmail: support@getgrist.com [default] [GRIST_SUPPORT_EMAIL]
grist_1  | 2023-07-28 23:43:47.420 - info: == grist.access.listPublicSites: false [default] [GRIST_LIST_PUBLIC_SITES]
grist_1  | 2023-07-28 23:43:47.420 - info: == grist.locale.offerAllLanguages: - [GRIST_OFFER_ALL_LANGUAGES]
grist_1  | 2023-07-28 23:43:47.420 - info: == grist.login.skipSession: - [GRIST_IGNORE_SESSION]
grist_1  | 2023-07-28 23:43:47.420 - info: == grist.login.forced: true [GRIST_FORCE_LOGIN]
grist_1  | 2023-07-28 23:43:47.420 - info: == grist.externalStorage.minio.bucket: - [GRIST_DOCS_MINIO_BUCKET]
grist_1  | 2023-07-28 23:43:47.420 - info: == grist.externalStorage.disable: - [GRIST_DISABLE_S3]
grist_1  | 2023-07-28 23:43:47.420 - info: == grist.externalStorage.active: false
grist_1  | 2023-07-28 23:43:47.425 - info: activity docCount=12, orgCount=0, orgInGoodStandingCount=0, userCount=8, userWithLoginCount=8
grist_1  | 2023-07-28 23:43:48.277 - debug: Auth[GET]: grist.xxxx.org /worker/fPCau3cdz9ZmE9SWUA7w41 customHostSession=, method=GET, host=grist.xxxx.org, path=/worker/fPCau3cdz9ZmE9SWUA7w41, org=docs, email=admin@xxxx.icu, userId=5, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo
grist_1  | 2023-07-28 23:43:48.285 grist.xxxx.org GET /o/docs/api/worker/fPCau3cdz9ZmE9SWUA7w41 200 9.541 ms - 55
grist_1  | 2023-07-28 23:43:48.352 - info: Comm: Got Websocket connection clientId=2ee3e529770f738d, counter=null, urlPath=/?clientId=bf7866417ca7b708&counter=8&newClient=0&lastSeqId=3&browserSettings=%7B%22timezone%22%3A%22Europe%2FBucharest%22%7D&user=admin%40xxxx.icu, reuseClient=false
grist_1  | 2023-07-28 23:43:48.352 - debug: Client sending clientConnect newClient=false, needReload=true, docsClosed=0, missedMessages=undefined, email=admin@xxxx.icu, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=8
grist_1  | 2023-07-28 23:43:48.374 - info: Client websocket closed; will discard client in 300 sec email=admin@xxxx.icu, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=8
grist_1  | 2023-07-28 23:43:48.411 - debug: Auth[GET]: grist.xxxx.org /docs/fPCau3cdz9Zm customHostSession=, method=GET, host=grist.xxxx.org, path=/docs/fPCau3cdz9Zm, org=docs, email=admin@xxxx.icu, userId=5, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo
grist_1  | 2023-07-28 23:43:48.424 grist.xxxx.org GET /o/docs/api/docs/fPCau3cdz9Zm 304 13.715 ms - -
grist_1  | 2023-07-28 23:43:48.453 - debug: Auth[GET]: grist.xxxx.org /worker/fPCau3cdz9ZmE9SWUA7w41 customHostSession=, method=GET, host=grist.xxxx.org, path=/worker/fPCau3cdz9ZmE9SWUA7w41, org=docs, email=admin@xxxx.icu, userId=5, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo
grist_1  | 2023-07-28 23:43:48.455 grist.xxxx.org GET /o/docs/api/worker/fPCau3cdz9ZmE9SWUA7w41 304 4.535 ms - -
grist_1  | 2023-07-28 23:43:48.520 - info: Comm: Got Websocket connection email=admin@xxxx.icu, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=8, urlPath=/?clientId=2ee3e529770f738d&counter=9&newClient=1&browserSettings=%7B%22timezone%22%3A%22Europe%2FBucharest%22%7D&user=admin%40xxxx.icu, reuseClient=true
grist_1  | 2023-07-28 23:43:48.520 - debug: Client sending clientConnect newClient=true, needReload=false, docsClosed=0, missedMessages=undefined, email=admin@xxxx.icu, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9
grist_1  | 2023-07-28 23:43:48.542 - info: Client onMessage '{"reqId":3,"method":"openDoc","args":["fPCau3cdz9ZmE9SWUA7w41","default",null]}' email=admin@xxxx.icu, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9
grist_1  | 2023-07-28 23:43:48.544 - debug: DocManager.openDoc Authorizer key { urlId: 'fPCau3cdz9ZmE9SWUA7w41', userId: 5, org: 'docs' }
grist_1  | 2023-07-28 23:43:48.549 - debug: DocManager.fetchDoc fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.557 - debug: ActiveDoc loadDoc access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.565 - debug: DB fPCau3cdz9ZmE9SWUA7w41 open successfully
grist_1  | 2023-07-28 23:43:48.568 - debug: ActiveDoc Loading 23 normal tables, skipping 0 on-demand tables access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.568 - debug: ActiveDoc Normal tables: StockTrades, Temp, _grist_ACLMemberships, _grist_ACLPrincipals, _grist_ACLResources, _grist_ACLRules, _grist_Attachments, _grist_Cells, _grist_DocInfo, _grist_External_database, _grist_External_table, _grist_Filters, _grist_Imports, _grist_Pages, _grist_REPL_Hist, _grist_TabBar, _grist_TabItems, _grist_TableViews, _grist_Triggers, _grist_Validations, _grist_Views, _grist_Views_section, _grist_Views_section_field access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.568 - debug: ActiveDoc On-demand tables:  access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.569 - debug: ActiveDoc starting to load 21 tables: _grist_ACLMemberships, _grist_ACLPrincipals, _grist_ACLResources, _grist_ACLRules, _grist_Attachments, _grist_Cells, _grist_DocInfo, _grist_External_database, _grist_External_table, _grist_Filters, _grist_Imports, _grist_Pages, _grist_REPL_Hist, _grist_TabBar, _grist_TabItems, _grist_TableViews, _grist_Triggers, _grist_Validations, _grist_Views, _grist_Views_section, _grist_Views_section_field access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.591 - debug: 3-pipe Sandbox started sandboxPid=119, flavor=gvisor, command=undefined, entryPoint=(default), docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.602 - debug: DocClients now 1 clients; new client is 2ee3e529770f738d (fd 0) access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.602 - info: ActiveDoc will stay open access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.602 - info: ActiveDoc fetchMetaTables access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.606 - debug: Time taken in getRecentMinimalActionGroups: 0 ms
grist_1  | 2023-07-28 23:43:48.615 - info: Sandbox stderr: run.py: sandbox/gvisor/run.py -E PYTHONPATH=/grist/sandbox/grist -E PIPE_MODE=minimal -m /grist/sandbox --restore /tmp/engine__grist python3 -- /grist/sandbox/grist/main.py fPCau3cdz9ZmE9SWUA7w41 sandboxPid=119, flavor=gvisor, command=undefined, entryPoint=(default), docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.687 - info: Client onMessage '{"reqId":4,"method":"fetchTable","args":[0,"StockTrades"]}' email=admin@xxxx.icu, userId=5, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9
grist_1  | 2023-07-28 23:43:48.688 - debug: activeDocMethod access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41, docMethod=fetchTable
grist_1  | 2023-07-28 23:43:48.688 - info: ActiveDoc fetchQuery {"tableId":"StockTrades","filters":{}} (regular) access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.690 - info: ActiveDoc fetchQuery -> 4 rows, cols: manualSort, Stock, SharesBought, BuyPrice, SellPrice, BuyDate, SellDate, ProfitAmount, ProfitPercent, HoldTimeDays, ProfitAmount_M_ access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.705 - info: Client onMessage '{"reqId":5,"method":"getUsersForViewAs","args":[0]}' email=admin@xxxx.icu, userId=5, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9
grist_1  | 2023-07-28 23:43:48.706 - debug: activeDocMethod access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41, docMethod=getUsersForViewAs
grist_1  | 2023-07-28 23:43:48.720 - info: Sandbox stderr: running container: starting container: restoring container "_tmp_tmphwkhqmr2": incompatible FeatureSet: missing features: map[xsave:{}] sandboxPid=119, flavor=gvisor, command=undefined, entryPoint=(default), docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.720 - info: Sandbox stderr: Traceback (most recent call last): sandboxPid=119, flavor=gvisor, command=undefined, entryPoint=(default), docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.720 - info: Sandbox stderr:   File "/grist/sandbox/gvisor/run.py", line 261, in <module> sandboxPid=119, flavor=gvisor, command=undefined, entryPoint=(default), docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.720 - info: Sandbox stderr:     raise Exception('gvisor runsc problem: ' + json.dumps(command)) sandboxPid=119, flavor=gvisor, command=undefined, entryPoint=(default), docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.720 - info: Sandbox stderr: Exception: gvisor runsc problem: ["runsc", "-root", "/tmp/runsc", "-unprivileged", "-ignore-cgroups", "-network", "none", "restore", "--image-path=/tmp/engine__grist", "_tmp_tmphwkhqmr2"] sandboxPid=119, flavor=gvisor, command=undefined, entryPoint=(default), docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.724 - debug: Sandbox pyCall[load_meta_tables] took 132 ms sandboxPid=119, flavor=gvisor, command=undefined, entryPoint=(default), docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.725 - warn: ActiveDoc _finishInitialization stopped with SandboxError: [Sandbox] [Sandbox] PipeFromSandbox is closed: running container: starting container: restoring container "_tmp_tmphwkhqmr2": incompatible FeatureSet: missing features: map[xsave:{}]
grist_1  | Traceback (most recent call last):
grist_1  |   File "/grist/sandbox/gvisor/run.py", line 261, in <module>
grist_1  |     raise Exception('gvisor runsc problem: ' + json.dumps(command))
grist_1  | Exception: gvisor runsc problem: ["runsc", "-root", "/tmp/runsc", "-unprivileged", "-ignore-cgroups", "-network", "none", "restore", "--image-path=/tmp/engine__grist", "_tmp_tmphwkhqmr2"]
grist_1  | 
grist_1  |     at NSandbox._pyCallWait (/grist/_build/app/server/lib/NSandbox.js:191:19)
grist_1  |     at processTicksAndRejections (internal/process/task_queues.js:95:5)
grist_1  |     at async NSandbox.pyCall (/grist/_build/app/server/lib/NSandbox.js:171:20)
grist_1  |     at async TableMetadataLoader.opCorePush (/grist/_build/app/server/lib/TableMetadataLoader.js:121:9)
grist_1  |     at async TableMetadataLoader._counted (/grist/_build/app/server/lib/TableMetadataLoader.js:186:20)
grist_1  |     at async TableMetadataLoader.wait (/grist/_build/app/server/lib/TableMetadataLoader.js:100:13)
grist_1  |     at async ActiveDoc._finishInitialization (/grist/_build/app/server/lib/ActiveDoc.js:1972:13)
grist_1  |     at async InactivityTimer.disableUntilFinish (/grist/_build/app/common/InactivityTimer.js:76:20) access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:48.726 - warn: Sandbox unexpectedly exited with code 1 signal null sandboxPid=119, flavor=gvisor, command=undefined, entryPoint=(default), docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:43:49.606 - debug: Subprocess control failure: Error: not found flavor=gvisor, command=undefined, entryPoint=(default), docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:44:14.993 - info: Client onMessage '{"reqId":6,"method":"fetchTable","args":[0,"Temp"]}' email=admin@xxxx.icu, userId=5, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9
grist_1  | 2023-07-28 23:44:15.004 - debug: activeDocMethod access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41, docMethod=fetchTable
grist_1  | 2023-07-28 23:44:15.005 - info: ActiveDoc fetchQuery {"tableId":"Temp","filters":{}} (regular) access=owners, userId=5, email=admin@xxxx.icu, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9, docId=fPCau3cdz9ZmE9SWUA7w41
grist_1  | 2023-07-28 23:44:15.005 - warn: Client Responding to method fetchTable with error: Error: [Sandbox] PipeToSandbox is closed: running container: starting container: restoring container "_tmp_tmphwkhqmr2": incompatible FeatureSet: missing features: map[xsave:{}]
grist_1  | Traceback (most recent call last):
grist_1  |   File "/grist/sandbox/gvisor/run.py", line 261, in <module>
grist_1  |     raise Exception('gvisor runsc problem: ' + json.dumps(command))
grist_1  | Exception: gvisor runsc problem: ["runsc", "-root", "/tmp/runsc", "-unprivileged", "-ignore-cgroups", "-network", "none", "restore", "--image-path=/tmp/engine__grist", "_tmp_tmphwkhqmr2"]
grist_1  | 
grist_1  |     at NSandbox._sandboxClosedError (/grist/_build/app/server/lib/NSandbox.js:269:16)
grist_1  |     at NSandbox._sendData (/grist/_build/app/server/lib/NSandbox.js:226:24)
grist_1  |     at NSandbox.pyCall (/grist/_build/app/server/lib/NSandbox.js:164:14)
grist_1  |     at ActiveDoc._rawPyCall (/grist/_build/app/server/lib/ActiveDoc.js:2196:27)  email=admin@xxxx.icu, userId=5, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9
grist_1  | 2023-07-28 23:44:15.006 - warn: Client responding to #6 ERROR [Sandbox] PipeToSandbox is closed: running container: starting container: restoring container "_tmp_tmphwkhqmr2": incompatible FeatureSet: missing features: map[xsave:{}]
grist_1  | Traceback (most recent call last):
grist_1  |   File "/grist/sandbox/gvisor/run.py", line 261, in <module>
grist_1  |     raise Exception('gvisor runsc problem: ' + json.dumps(command))
grist_1  | Exception: gvisor runsc problem: ["runsc", "-root", "/tmp/runsc", "-unprivileged", "-ignore-cgroups", "-network", "none", "restore", "--image-path=/tmp/engine__grist", "_tmp_tmphwkhqmr2"]
grist_1  |  email=admin@xxxx.icu, userId=5, age=63, org=docs, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo, clientId=2ee3e529770f738d, counter=9
grist_1  | 2023-07-28 23:44:15.027 grist.xxxx.org GET /custom-widget.html?access=none&readonly=false 304 1.674 ms - -
grist_1  | 2023-07-28 23:44:15.029 grist.xxxx.org GET /custom-widget.html?access=full&readonly=false 304 0.465 ms - -
grist_1  | 2023-07-28 23:44:15.045 - debug: Auth[POST]: grist.xxxx.org /log customHostSession=, method=POST, host=grist.xxxx.org, path=/log, org=docs, email=admin@xxxx.icu, userId=5, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo
grist_1  | 2023-07-28 23:44:15.052 - warn: client error stack=Error: [Sandbox] PipeToSandbox is closed: running container: starting container: restoring container "_tmp_tmphwkhqmr2": incompatible FeatureSet: missing features: map[xsave:{}]
grist_1  | Traceback (most recent call last):
grist_1  |   File "/grist/sandbox/gvisor/run.py", line 261, in <module>
grist_1  |     raise Exception('gvisor runsc problem: ' + json.dumps(command))
grist_1  | Exception: gvisor runsc problem: ["runsc", "-root", "/tmp/runsc", "-unprivileged", "-ignore-cgroups", "-network", "none", "restore", "--image-path=/tmp/engine__grist", "_tmp_tmphwkhqmr2"]
grist_1  | 
grist_1  |     at y._onServerMessage (https://grist.xxxx.org/v/unknown/main.bundle.js:2:17073)
grist_1  |     at v (https://grist.xxxx.org/v/unknown/main.bundle.js:2:575074)
grist_1  |     at m (https://grist.xxxx.org/v/unknown/main.bundle.js:2:574866)
grist_1  |     at d (https://grist.xxxx.org/v/unknown/main.bundle.js:2:572819)
grist_1  |     at c.trigger (https://grist.xxxx.org/v/unknown/main.bundle.js:2:574759)
grist_1  |     at g._processReceivedMessage (https://grist.xxxx.org/v/unknown/main.bundle.js:2:10645)
grist_1  |     at g.onmessage (https://grist.xxxx.org/v/unknown/main.bundle.js:2:9262), message=[Sandbox] PipeToSandbox is closed: running container: starting container: restoring container "_tmp_tmphwkhqmr2": incompatible FeatureSet: missing features: map[xsave:{}]
grist_1  | Traceback (most recent call last):
grist_1  |   File "/grist/sandbox/gvisor/run.py", line 261, in <module>
grist_1  |     raise Exception('gvisor runsc problem: ' + json.dumps(command))
grist_1  | Exception: gvisor runsc problem: ["runsc", "-root", "/tmp/runsc", "-unprivileged", "-ignore-cgroups", "-network", "none", "restore", "--image-path=/tmp/engine__grist", "_tmp_tmphwkhqmr2"]
grist_1  | , docId=fPCau3cdz9ZmE9SWUA7w41, page=https://grist.xxxx.org/o/docs/fPCau3cdz9Zm/TornCity-Stonks-Tracker/p/2, language=en-US, platform=Linux x86_64, userAgent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36, org=docs, email=admin@xxxx.icu, userId=5, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo
grist_1  | 2023-07-28 23:44:15.056 grist.xxxx.org POST /o/docs/api/log 200 13.752 ms - -
grist_1  | 2023-07-28 23:44:15.059 - debug: Auth[POST]: grist.xxxx.org /log customHostSession=, method=POST, host=grist.xxxx.org, path=/log, org=docs, email=admin@xxxx.icu, userId=5, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo
grist_1  | 2023-07-28 23:44:15.060 - warn: client error stack=Error: [Sandbox] PipeToSandbox is closed: running container: starting container: restoring container "_tmp_tmphwkhqmr2": incompatible FeatureSet: missing features: map[xsave:{}]
grist_1  | Traceback (most recent call last):
grist_1  |   File "/grist/sandbox/gvisor/run.py", line 261, in <module>
grist_1  |     raise Exception('gvisor runsc problem: ' + json.dumps(command))
grist_1  | Exception: gvisor runsc problem: ["runsc", "-root", "/tmp/runsc", "-unprivileged", "-ignore-cgroups", "-network", "none", "restore", "--image-path=/tmp/engine__grist", "_tmp_tmphwkhqmr2"]
grist_1  | 
grist_1  |     at y._onServerMessage (https://grist.xxxx.org/v/unknown/main.bundle.js:2:17073)
grist_1  |     at v (https://grist.xxxx.org/v/unknown/main.bundle.js:2:575074)
grist_1  |     at m (https://grist.xxxx.org/v/unknown/main.bundle.js:2:574866)
grist_1  |     at d (https://grist.xxxx.org/v/unknown/main.bundle.js:2:572819)
grist_1  |     at c.trigger (https://grist.xxxx.org/v/unknown/main.bundle.js:2:574759)
grist_1  |     at g._processReceivedMessage (https://grist.xxxx.org/v/unknown/main.bundle.js:2:10645)
grist_1  |     at g.onmessage (https://grist.xxxx.org/v/unknown/main.bundle.js:2:9262), message=[Sandbox] PipeToSandbox is closed: running container: starting container: restoring container "_tmp_tmphwkhqmr2": incompatible FeatureSet: missing features: map[xsave:{}]
grist_1  | Traceback (most recent call last):
grist_1  |   File "/grist/sandbox/gvisor/run.py", line 261, in <module>
grist_1  |     raise Exception('gvisor runsc problem: ' + json.dumps(command))
grist_1  | Exception: gvisor runsc problem: ["runsc", "-root", "/tmp/runsc", "-unprivileged", "-ignore-cgroups", "-network", "none", "restore", "--image-path=/tmp/engine__grist", "_tmp_tmphwkhqmr2"]
grist_1  | , docId=fPCau3cdz9ZmE9SWUA7w41, page=https://grist.xxxx.org/o/docs/fPCau3cdz9Zm/TornCity-Stonks-Tracker/p/2, language=en-US, platform=Linux x86_64, userAgent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36, org=docs, email=admin@xxxx.icu, userId=5, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo
grist_1  | 2023-07-28 23:44:15.062 - debug: Auth[POST]: grist.xxxx.org /log customHostSession=, method=POST, host=grist.xxxx.org, path=/log, org=docs, email=admin@xxxx.icu, userId=5, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo
grist_1  | 2023-07-28 23:44:15.063 - warn: client error stack=Error: [Sandbox] PipeToSandbox is closed: running container: starting container: restoring container "_tmp_tmphwkhqmr2": incompatible FeatureSet: missing features: map[xsave:{}]
grist_1  | Traceback (most recent call last):
grist_1  |   File "/grist/sandbox/gvisor/run.py", line 261, in <module>
grist_1  |     raise Exception('gvisor runsc problem: ' + json.dumps(command))
grist_1  | Exception: gvisor runsc problem: ["runsc", "-root", "/tmp/runsc", "-unprivileged", "-ignore-cgroups", "-network", "none", "restore", "--image-path=/tmp/engine__grist", "_tmp_tmphwkhqmr2"]
grist_1  | 
grist_1  |     at y._onServerMessage (https://grist.xxxx.org/v/unknown/main.bundle.js:2:17073)
grist_1  |     at v (https://grist.xxxx.org/v/unknown/main.bundle.js:2:575074)
grist_1  |     at m (https://grist.xxxx.org/v/unknown/main.bundle.js:2:574866)
grist_1  |     at d (https://grist.xxxx.org/v/unknown/main.bundle.js:2:572819)
grist_1  |     at c.trigger (https://grist.xxxx.org/v/unknown/main.bundle.js:2:574759)
grist_1  |     at g._processReceivedMessage (https://grist.xxxx.org/v/unknown/main.bundle.js:2:10645)
grist_1  |     at g.onmessage (https://grist.xxxx.org/v/unknown/main.bundle.js:2:9262), message=[Sandbox] PipeToSandbox is closed: running container: starting container: restoring container "_tmp_tmphwkhqmr2": incompatible FeatureSet: missing features: map[xsave:{}]
grist_1  | Traceback (most recent call last):
grist_1  |   File "/grist/sandbox/gvisor/run.py", line 261, in <module>
grist_1  |     raise Exception('gvisor runsc problem: ' + json.dumps(command))
grist_1  | Exception: gvisor runsc problem: ["runsc", "-root", "/tmp/runsc", "-unprivileged", "-ignore-cgroups", "-network", "none", "restore", "--image-path=/tmp/engine__grist", "_tmp_tmphwkhqmr2"]
grist_1  | , docId=fPCau3cdz9ZmE9SWUA7w41, page=https://grist.xxxx.org/o/docs/fPCau3cdz9Zm/TornCity-Stonks-Tracker/p/2, language=en-US, platform=Linux x86_64, userAgent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36, org=docs, email=admin@xxxx.icu, userId=5, altSessionId=nJRLNHuq8fsPV5Cp6S9kXo
grist_1  | 2023-07-28 23:44:15.064 grist.xxxx.org POST /o/docs/api/log 200 8.847 ms - -
grist_1  | 2023-07-28 23:44:15.065 grist.xxxx.org POST /o/docs/api/log 200 8.069 ms - -

Not sure what other information I should include, if there is any, I’d love to know what I did wrong in my setup for why sandbox doesn’t work.

Thank you in advance!

paul-grist · July 29, 2023, 9:23pm

The gvisor-based sandboxing option isn’t available in all environments:

Could you check if XSAVE is listed as available in your CPU flags?

For GRIST_WIDGET_LIST_URL, when it is set to the suggested URL, you should see the same set of custom widgets available as on our hosted service, or listed here:

Without it set, you won’t see that list, although you could still use the widgets if you find a URL for them in the manifest.json file.

One nice aspect of this is that you can fork our grist-widget repository, add your own custom widgets to it, and then set GRIST_WIDGET_LIST_URL to that repository instead of ours.

For GRIST_SESSION_SECRET, you won’t see a change (other than needing to log in again), but your site will be more secure.

GrittingGrister · July 29, 2023, 9:50pm

Thank you! That helped find the problem. The CPU type for the VM was set to the default value of kvm64 in Proxmox. The XSAVE flag was missing. I changed the CPU type to Host, rebooted and now all the flags are showing and sandboxing works!
EDIT: For those reading this later on. You can check your CPU flags by typing cat /proc/cpuinfo

And that makes sense regarding the GRIST_SESSION_SECRET. Thank you, I have now set it.

As for widget URL. Turns out I made a mistake with my docker-compose file.

My variable was written as:
- GRIST_WIDGET_LIST_URL="https://github.com/gristlabs/grist-widget/releases/download/latest/manifest.json"

The variable has to be without quotes:
- GRIST_WIDGET_LIST_URL=https://github.com/gristlabs/grist-widget/releases/download/latest/manifest.json

Now it is all working! Thank you for the help.