Skip to content

fix: add xvfb to docker image to enable playwright headed crawls #1486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
+15 −1
Open

fix: add xvfb to docker image to enable playwright headed crawls #1486

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ ENV PYTHONFAULTHANDLER=1 \
PIP_DEFAULT_TIMEOUT=100 \
DEBIAN_FRONTEND=noninteractive \
REDIS_HOST=localhost \
REDIS_PORT=6379
REDIS_PORT=6379 \
DISPLAY=:99

ARG PYTHON_VERSION=3.12
ARG INSTALL_TYPE=default
Expand Down Expand Up @@ -68,6 +69,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
libcairo2 \
libasound2 \
libatspi2.0-0 \
xvfb \
xauth \
x11-utils \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

Expand Down
10 changes: 10 additions & 0 deletions deploy/docker/supervisord.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,14 @@ stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr ; Redirect gunicorn stderr to container stderr
stderr_logfile_maxbytes=0

[program:xvfb]
command=Xvfb :99 -screen 0 1920x1080x24 -ac +extension GLX +render -noreset
user=appuser
autorestart=true
priority=5
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
Comment on lines +28 to +36
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Secure and stabilize Xvfb startup.

  • Security: Xvfb is started with “-ac” (no auth). Add “-nolisten tcp” to disable TCP socket exposure. If feasible, drop “-ac” and use xauth, since you already install it.
  • Reliability: Add startsecs so Xvfb is “up” before gunicorn starts.
 [program:xvfb]
-command=Xvfb :99 -screen 0 1920x1080x24 -ac +extension GLX +render -noreset
+command=Xvfb :99 -screen 0 1920x1080x24 -nolisten tcp -ac +extension GLX +render -noreset
 user=appuser
 autorestart=true
 priority=5
+startsecs=2
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0

Optional hardening (if you choose to use xauth instead of “-ac”): generate a cookie at container start and export XAUTHORITY to both programs.

I can provide a tiny entry script + supervisor config to set up xauth securely.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
[program:xvfb]
command=Xvfb :99 -screen 0 1920x1080x24 -ac +extension GLX +render -noreset
user=appuser
autorestart=true
priority=5
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
[program:xvfb]
command=Xvfb :99 -screen 0 1920x1080x24 -nolisten tcp -ac +extension GLX +render -noreset
user=appuser
autorestart=true
priority=5
startsecs=2
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
🤖 Prompt for AI Agents 
In deploy/docker/supervisord.conf around lines 28 to 36 the Xvfb command is
insecure and may race with gunicorn start; remove or replace the “-ac” flag
(prefer using xauth) and add “-nolisten tcp” to prevent TCP exposure, update the
supervisord program stanza to include a sensible startsecs (e.g. startsecs=5) so
supervisor waits for Xvfb to be fully up before starting dependent programs, and
if you opt to drop “-ac” implement an entrypoint step that generates an
XAUTHORITY cookie (export XAUTHORITY for both Xvfb and other processes) rather
than disabling auth.


# Optional: Add filebeat or other logging agents here if needed