Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Start AppImage with --no-sandbox option #414

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Start AppImage with --no-sandbox option #414

wants to merge 1 commit into from
+6 −1

Conversation

sgraband
Copy link
Contributor

What it does

Without this the AppImage is not running properly on newer Ubuntu versions. For more information see #363.

How to test

  1. Package the electron application (yarn && yarn build && yarn download:plugins && yarn electron package)
  2. Start the AppImage and notice that it is running with the --no-sandbox option
  3. Start the .deb and notice that the --no-sandbox option is not present

Review checklist

Reminder for reviewers

@sgraband sgraband mentioned this pull request Oct 30, 2024
Open
@jfaltermeier
Copy link
Contributor

I don’t have a reproducer system for the issue.

I started the current AppImage with --no-sandbox and got the following:

$ ps -aux | grep no-sandbox
user  223453  9.3  0.3 1187077548 228176 pts/0 Sl+ 13:48   0:01 /tmp/.mount_theiaitBi1PH/theia-ide-electron-app --no-sandbox
user  223456  7.1  0.0  11924  2372 ?        Ssl  13:48   0:01 theiaide --no-sandbox
user  223460  0.0  0.0 34063484 49440 pts/0  S+   13:48   0:00 /tmp/.mount_theiaitBi1PH/theia-ide-electron-app --type=zygote --no-zygote-sandbox --no-sandbox
user  223461  0.0  0.0 34063484 48800 pts/0  S+   13:48   0:00 /tmp/.mount_theiaitBi1PH/theia-ide-electron-app --type=zygote --no-sandbox
user  223473  9.9  0.2 1186876644 177060 ?   Ssl  13:48   0:01 /tmp/.mount_theiaitBi1PH/theia-ide-electron-app /tmp/.mount_theiaitBi1PH/resources/app/lib/backend/main.js --no-sandbox
user  223491  4.2  0.2 34678816 138848 pts/0 Sl+  13:48   0:00 /tmp/.mount_theiaitBi1PH/theia-ide-electron-app --type=gpu-process --no-sandbox --enable-crash-reporter=eb9b4d7e-56c6-474e-810b-692ff24315a3,no_channel --user-data-dir=/home/user/.config/Theia IDE --gpu-preferences=WAAAAAAAAAAgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --shared-files --field-trial-handle=3,i,6505186151642009864,16046866565412391559,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess --variations-seed-version
user  223499  3.0  0.1 33867768 73132 pts/0  Sl+  13:48   0:00 /tmp/.mount_theiaitBi1PH/theia-ide-electron-app --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --enable-crash-reporter=eb9b4d7e-56c6-474e-810b-692ff24315a3,no_channel --user-data-dir=/home/user/.config/Theia IDE --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6505186151642009864,16046866565412391559,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess --variations-seed-version
user  223568 83.7  0.6 1189460660 441964 pts/0 Sl+ 13:48   0:15 /tmp/.mount_theiaitBi1PH/theia-ide-electron-app --type=renderer --enable-crash-reporter=eb9b4d7e-56c6-474e-810b-692ff24315a3,no_channel --user-data-dir=/home/user/.config/Theia IDE --app-path=/tmp/.mount_theiaitBi1PH/resources/app --no-sandbox --no-zygote --no-sandbox --lang=en-GB --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1730274429019154 --launch-time-ticks=18073141529 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6505186151642009864,16046866565412391559,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess --variations-seed-version
user  224233  0.0  0.0   7348  2720 pts/2    S+   13:48   0:00 grep --color=auto no-sandbox

When I start the adjusted AppImage, it looks like this:

$ ps -aux | grep no-sandbox
user  223473  1.0  0.2 1186876644 138016 ?   Ssl  13:48   0:02 /tmp/.mount_theiaitBi1PH/theia-ide-electron-app /tmp/.mount_theiaitBi1PH/resources/app/lib/backend/main.js --no-sandbox
user  224890  5.8  0.2 34689848 138452 pts/2 Sl+  13:51   0:00 /tmp/.mount_TheiaIH0Ah0a/theia-ide-electron-app --type=gpu-process --no-sandbox --enable-crash-reporter=eb9b4d7e-56c6-474e-810b-692ff24315a3,no_channel --user-data-dir=/home/user/.config/Theia IDE --gpu-preferences=WAAAAAAAAAAgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --shared-files --field-trial-handle=3,i,8896260334488255401,16466640052674349048,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess --variations-seed-version
user  224898  4.6  0.1 33867768 72736 pts/2  Sl+  13:51   0:00 /tmp/.mount_TheiaIH0Ah0a/theia-ide-electron-app --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --enable-crash-reporter=eb9b4d7e-56c6-474e-810b-692ff24315a3,no_channel --user-data-dir=/home/user/.config/Theia IDE --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,8896260334488255401,16466640052674349048,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess --variations-seed-version
user  224967  119  1.1 1189462836 762876 pts/2 Rl+ 13:51   0:15 /tmp/.mount_TheiaIH0Ah0a/theia-ide-electron-app --type=renderer --enable-crash-reporter=eb9b4d7e-56c6-474e-810b-692ff24315a3,no_channel --user-data-dir=/home/user/.config/Theia IDE --app-path=/tmp/.mount_TheiaIH0Ah0a/resources/app --no-sandbox --no-zygote --no-sandbox --lang=en-GB --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --time-ticks-at-unix-epoch=-1730274429019154 --launch-time-ticks=18251638068 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,8896260334488255401,16466640052674349048,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess --variations-seed-version
user  225759  0.0  0.0   7348  2720 pts/4    S+   13:51   0:00 grep --color=auto no-sandbox

It looks like we have fewer processes with the no-sandbox flag compared to when I manually include it.

So, I’m not certain this completely resolves the issue, but as mentioned I wasn’t able to properly test it.

@hklene
Copy link

hklene commented Nov 1, 2024

OK, I downloaded your branch from:
https://github.com/eclipse-theia/theia-ide/archive/refs/heads/noSandbox.zip
Unpacked it and installed the tools:
sudo apt install cmdtest
But running yarn fails with:

holger 19:58:19  128  8 1125 ~/Downloads/theia-ide-noSandbox
$ yarn
00h00m00s 0/0: : ERROR: There are no scenarios; must have at least one.
holger 19:58:44  1  9 1126 ~/Downloads/theia-ide-noSandbox

yarn list also didn't help ...

@sgraband
Start AppImage with --no-sandbox option
667b348 
Without this the AppImage is not running properly on newer Ubuntu versions.
For more information see #363.
@sgraband
Copy link
Contributor Author

sgraband commented Nov 4, 2024
edited
Loading

@hklene Since this seems to be an issue with the building could you try to download the AppImage i have build from here (it is a zip with the AppImage inside)?
Then you should just be able to test the downloaded AppImage. Thanks for your help!

@hklene
Copy link

hklene commented Nov 4, 2024
edited
Loading

I downloaded and extracted this file:

$ md5sum TheiaIDE.AppImage 
1b5da013042c19653295341decf6e347  TheiaIDE.AppImage

I put it in a location explicitly not covered by my custom profile in /etc/apparmor.d/theia. Running it in a console prints:

$ ./TheiaIDE.AppImage 
[609805:1104/214119.272509:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_TheiaIyyskpR/chrome-sandbox is owned by root and has mode 4755.
Trace/Breakpoint ausgelöst (Speicherabzug geschrieben)

So I fear, this is a bummer ...

BTW: Moving it to the location covered by my apparmor-profile, it starts up normally and reports as:
Version 1.55.0
VS Code API Version: 1.94.2

But this is not what you were hoping for ... And I can also run with explicit "--no-sandbox" parameter - but if I understood your intention correctly, the parameter shall explicitly not be necessary, right?

More versions:

Operating System: Kubuntu 24.04
KDE Plasma Version: 5.27.11
KDE Frameworks Version: 5.115.0
Qt Version: 5.15.13
Kernel Version: 6.8.0-47-generic (64-bit)
Graphics Platform: X11
Processors: 8 × Intel® Core™ i7-4700MQ CPU @ 2.40GHz
Memory: 15.5 GiB of RAM
Graphics Processor: Mesa Intel® HD Graphics 4600
Manufacturer: Micro-Star International Co., Ltd.
Product Name: GE70 2OC\2OD\2OE
System Version: REV:1.0

@sgraband
Copy link
Contributor Author

sgraband commented Nov 7, 2024

Thank you for trying it out. That probably means, that we set the --no-sandbox flag to late.

I am actually not sure if we then can still ship a AppImage and solve this issue. We will need to investigate that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jfaltermeier jfaltermeier Awaiting requested review from jfaltermeier

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sgraband @jfaltermeier @hklene