Fails to start with Flatpak

[Wgelyjr]

wgelyjr@fedora:~$ flatpak run -v com.adamcake.Bolt 
F: No installations directory in /etc/flatpak/installations.d. Skipping
F: Opening system flatpak installation at path /var/lib/flatpak
F: Opening user flatpak installation at path /home/wgelyjr/.local/share/flatpak
F: Opening user flatpak installation at path /home/wgelyjr/.local/share/flatpak
F: Opening system flatpak installation at path /var/lib/flatpak
F: Skipping parental controls check for app/com.adamcake.Bolt/x86_64/stable since parental controls are disabled globally
F: Opening user flatpak installation at path /home/wgelyjr/.local/share/flatpak
F: Opening system flatpak installation at path /var/lib/flatpak
F: /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/lib32 does not exist
F: Cleaning up unused container id 2496055729
F: Cleaning up per-app-ID state for com.adamcake.Bolt
F: Allocated instance id 4037023193
F: Add defaults in dir /com/adamcake/Bolt/
F: Add locks in dir /com/adamcake/Bolt/
F: Allowing dri access
F: Allowing wayland access
F: Allowing x11 access
F: Allowing pulseaudio access
F: Pulseaudio user configuration file '/home/wgelyjr/.config/pulse/client.conf': Error opening file /home/wgelyjr/.config/pulse/client.conf: No such file or directory
F: Running '/usr/bin/bwrap --args 41 -- /usr/bin/xdg-dbus-proxy --args=40'
F: Running '/usr/bin/bwrap --args 39 -- bolt'
[0720/105811.377523:FATAL:flatpak_sandbox.cc(289)] Your Flatpak installation is setuid, which is not supported

I can't find anything with this error message, posting this issue is my last resort :)

[Adamcake]

The flatpak build relies on a feature called "unprivileged_userns_clone" being enabled in your linux kernel, and this error means that you have that feature disabled. I've only ever seen this happen on chromebooks, which makes it extra-annoying because you have to root the device to be able to change that setting.

A workaround is to run flatpak run com.adamcake.Bolt --no-sandbox.

[Wgelyjr]

That's fascinating - I'm using Fedora 40 and not on a chromebook. I wonder if the kernel Fedora is shipping has something going on? Bolt is also the only Flatpak app that is suffering this issue, of maybe ~8 that I've tested. Is that expected?

Also thank you for your quick reply on a Saturday!

(the workaround works)

[Adamcake]

Since Bolt is CEF-based (Chromium Embedded Framework), I had to do some messing around to get Chromium's sandbox and Flatpak's sandbox to work together, and the way I did that was by building CEF with the patches from org.chromium.Chromium. Those patches change the way chromium's sandbox works, to use the unprivileged_userns_clone feature. If it's not enabled then you'll get this error: https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch#L787

So you'd probably find the same error with org.chromium.Chromium if you tried it, but yeah, it's a pretty obscure problem. I'm afraid I don't know how to change kernel settings on fedora, you'd have to check the user manual or ask the community.

[Wgelyjr]

Very interesting. I wonder if Fedora is starting to ship a kernel with that feature disabled.

I'm currently just trying to get the --no-sandbox option added to the desktop entry and having a terrible time, but I'm sure I can hack it.

Confirmed, Chromium does indeed throw that error - their suggested workarounds do not seem to change that feature being disabled work great, but I could just be messing it up somehow. Regardless, I'm not too worried; if you're not concerned with this, I would have no problem if you closed the issue since --no-sandbox is fine.

[Adamcake]

Depending on how Fedora built their kernel, unprivileged userns might be a setting that you can change, for example on Ubuntu it's a setting you can change via sudo systemctl I think. If they totally disabled it at build time then you can't really do anything about that, but if you can just quickly toggle it then that's probably the easiest way to go about it.

Glad I could help anyway.