Reporting production considerations

To generate reports, Kibana uses a custom build of the Chromium web browser, which runs on the Kibana server in headless mode to load Kibana and capture the rendered Kibana visualizations as images. Chromium is an open-source project not related to Elastic, but the Chromium binary for Kibana has been custom-built by Elastic to make sure it works with minimal setup. The operating system that the Kibana server uses can require additional dependencies for Chromium.

For an additional layer of security, use the sandbox. The Chromium sandbox uses operating system-provided mechanisms to ensure that code execution cannot make persistent changes to the computer or access confidential information. The specific sandboxing techniques differ for each operating system.

The Linux sandbox depends on user namespaces, which were introduced with the 3.8 Linux kernel. However, many distributions don’t have user namespaces enabled by default, or they require the CAP_SYS_ADMIN capability. The reporting features automatically disable the sandbox when it is running on Debian and CentOS, as additional steps are required to enable unprivileged usernamespaces. In these situations, you’ll see the following message in your Kibana startup logs: Chromium sandbox provides an additional layer of protection, but is not supported for your OS. Automatically setting 'xpack.reporting.capture.browser.chromium.disableSandbox: true'.

Reporting automatically enables the Chromium sandbox at startup when a supported OS is detected. However, if your kernel is 3.8 or newer, it’s recommended to set xpack.reporting.capture.browser.chromium.disableSandbox: false in your kibana.yml to explicitly enable usernamespaces.

When running Kibana in a Docker container, all container processes are run within a usernamespace with seccomp-bpf and AppArmor profiles that prevent the Chromium sandbox from being used. In these situations, disabling the sandbox is recommended, as the container implements similar security mechanisms.