Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Getting "Error: [Sandbox] PipeToSandbox is closed" on self hosted grist

See original GitHub issue

Hello,

we are trying to run the gristlabs/girst-core:latest docker image with sandboxed pynbox formulas using Authentik as SAML provider behind an apache reverse proxy on a docker swarm manager node (I know lots of possible points of failure)

and we are getting the following error:

In the frontend

ERROR: Error: [Sandbox] PipeToSandbox is closed
_onServerMessage Comm.ts:338
Backbone 4
_processReceivedMessage GristWSConnection.ts:293
onmessage GristWSConnection.ts:219
errors.ts:82:2
GristWSConnection.send[true]

In the backend:

2022-09-27 14:21:27.102 - debug: ActiveDoc _applyUserActions(Client 4cd2de5cc4b04caf #17, [['UpdateRecord', '_grist_Tables_column', 2, {isFormula: true, formula: 'print("foo")'}], ['AddRecord', 'Table1', null, {}]]) access=owners, userId=6, email=dev@ff6347.email, age=0, org=docs, altSessionId=2DKQjc9may2JAfvkdTtQaU, clientId=4cd2de5cc4b04caf, counter=17, docId=wDY9nMDvJhijaQsPEh45r3

2022-09-27 14:21:27.104 - warn: Sharing Unable to apply action... SandboxError: [Sandbox] PipeToSandbox is closed

    at NSandbox._sandboxClosedError (/grist/_build/app/server/lib/NSandbox.js:243:16)

    at NSandbox._sendData (/grist/_build/app/server/lib/NSandbox.js:200:24)

    at NSandbox.pyCall (/grist/_build/app/server/lib/NSandbox.js:148:14)

    at ActiveDoc._rawPyCall (/grist/_build/app/server/lib/ActiveDoc.js:1918:27)

    at async ActiveDoc.applyActionsToDataEngine (/grist/_build/app/server/lib/ActiveDoc.js:1350:35)

    at async Sharing._applyActionsToDataEngine (/grist/_build/app/server/lib/Sharing.js:321:37) access=owners, userId=6, email=me@me.email, age=0, org=docs, altSessionId=2DKQjc9may2JAfvkdTtQaU, clientId=4cd2de5cc4b04caf, counter=17, docId=wDY9nMDvJhijaQsPEh45r3

I guess it might have something to do with websockets, but I’m not certain. Any hint would be highly appreciated. Below are or configs.

docker-compose.yml

version: "3.9"
services:
  grist:
    # even though it is bad practice to use the latest tag, we want the latest state. Last tag v0.7.9 is 4 month old. There has been so many changes since then.
    # Other possibility would be to pull latest and rename the tag to mach some versioning we can use.
    image: gristlabs/grist:latest
    restart: always
    # currently not needed with pynbox
    # once gvisor is available in grist-core we can use it
    # runtime: runsc
    ports:
      - published: 11081
        target: 80
        mode: host
    volumes:
      - grist:/persist
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [ node.role == manager ]
    environment:
      PORT: 80
      APP_DOC_URL: https://$GRIST_DOMAIN
      APP_HOME_URL: https://$GRIST_DOMAIN
      GRIST_ORG_IN_PATH: "true"
      GRIST_DOMAIN: $GRIST_DOMAIN
      # GRIST_HOST: $GRIST_DOMAIN
      # GRIST_DEFAULT_EMAIL: $GRIST_DEFAULT_EMAIL
      GRIST_EXPERIMENTAL_PLUGINS: "true"
      GRIST_SANDBOX_FLAVOR: pynbox
      GRIST_SESSION_SECRET: $GRIST_SESSION_SECRET
      GRIST_SAML_IDP_CERTS: $GRIST_SAML_IDP_CERTS
      GRIST_SAML_SP_KEY: $GRIST_SAML_SP_KEY
      GRIST_SAML_SP_CERT: $GRIST_SAML_SP_CERT
      GRIST_SAML_IDP_LOGIN: $GRIST_SAML_IDP_LOGIN
      GRIST_SAML_IDP_LOGOUT: $GRIST_SAML_IDP_LOGOUT
      GRIST_HIDE_UI_ELEMENTS: helpCenter,billing,templates
      PYTHON_VERSION: 2
      PYTHON_VERSION_ON_CREATION: 2
      GRIST_FORCE_LOGIN: "true"
      GRIST_SAML_IDP_UNENCRYPTED: 1
      GRIST_SAML_SP_HOST: https://$GRIST_DOMAIN
      PIPE_MODE: $PIPE_MODE

volumes:
  grist:

.env

GRIST_DOMAIN=example.com
GRIST_SESSION_SECRET=123456
GRIST_SANDBOX_FLAVOR=pynbox
GRIST_ORG_IN_PATH=true
APP_DOC_URL=https://example.com
APP_HOME_URL=https://example.com
PYTHON_VERSION=2
PYTHON_VERSION_ON_CREATION=2
GRIST_SAML_IDP_LOGIN=https://authentik.example.com/application/saml/grist/sso/binding/redirect/
GRIST_SAML_IDP_LOGOUT=https://authentik.example.com/if/session-end/grist/
GRIST_SAML_IDP_CERTS=/persist/saml/grist_idp.cert
GRIST_SAML_SP_KEY=/persist/saml/grist_private_key.key
GRIST_SAML_SP_CERT=/persist/saml/grist_certificate.cert
GRIST_EXPERIMENTAL_PLUGINS=true
GRIST_HIDE_UI_ELEMENTS=helpCenter,billing,templates
GRIST_FORCE_LOGIN=true
GRIST_SAML_IDP_UNENCRYPTED=1
GRIST_SAML_SP_HOST=https://example.com

apache config (Stolen from many parts of the web)


RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*)           ws://localhost:11081/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*)           http://localhost:11081/$1 [P,L]

#
ProxyPreserveHost On
ProxyRequests off
ProxyPass / http://localhost:11081/
ProxyPassReverse / http://localhost:11081/
RequestHeader set X-Forwarded-Proto https

Edit 1:

  • Setting GRIST_HOST breaks things in docker

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
paulfitzcommented, Sep 28, 2022

I actually only went for pynbox and python 2 because of that gibt in the source code about gvisor not being available in grist-core and because it didn’t work in my first try.

Anyway. Thank you again

Oh gosh thanks for pointing me to that @ff6347, I’ll update that out-of-date comment. Cheers!

0reactions
ff6347commented, Sep 28, 2022

I actually only went for pynbox and python 2 because of that gibt in the source code about gvisor not being available in grist-core and because it didn’t work in my first try.

Anyway. Thank you again

Read more comments on GitHub >

github_iconTop Results From Across the Web

Issues · gristlabs/grist-core - GitHub
Contribute to gristlabs/grist-core development by creating an account on GitHub. ... Getting "Error: [Sandbox] PipeToSandbox is closed" on self hosted grist.
Read more >
ned - River Thames Conditions - Environment Agency - GOV.UK
Congreso del peru dibujo, Bodas de cana dallas, Off bottom lounge may 8, Mashreq bank iban number dubai. Hold for applause, Fail opilci,...
Read more >
Automated Malware Analysis Report for http://ccsbts ... - Joe Sandbox
Exclude process from analysis (whitelisted): ielowutil.exe; TCP Packets have been reduced to 100; Created / dropped Files have been reduced to 100 ...
Read more >
Sandbox / Homestuck Reactions - TV Tropes
A page for describing Sandbox: Homestuck Reactions. > Respond to the story's events. Homestuck is a work of over 8000 pages, and the...
Read more >
Viewing online file analysis results for 'JVC_50616.vbs'
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Table id displayed in table list

Next page

env var for controling allowed origins ?