Closed Wgelyjr closed 2 months ago
The flatpak build relies on a feature called "unprivileged_userns_clone" being enabled in your linux kernel, and this error means that you have that feature disabled. I've only ever seen this happen on chromebooks, which makes it extra-annoying because you have to root the device to be able to change that setting.
A workaround is to run flatpak run com.adamcake.Bolt --no-sandbox
.
That's fascinating - I'm using Fedora 40 and not on a chromebook. I wonder if the kernel Fedora is shipping has something going on? Bolt is also the only Flatpak app that is suffering this issue, of maybe ~8 that I've tested. Is that expected?
Also thank you for your quick reply on a Saturday!
(the workaround works)
Since Bolt is CEF-based (Chromium Embedded Framework), I had to do some messing around to get Chromium's sandbox and Flatpak's sandbox to work together, and the way I did that was by building CEF with the patches from org.chromium.Chromium. Those patches change the way chromium's sandbox works, to use the unprivileged_userns_clone feature. If it's not enabled then you'll get this error: https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch#L787
So you'd probably find the same error with org.chromium.Chromium if you tried it, but yeah, it's a pretty obscure problem. I'm afraid I don't know how to change kernel settings on fedora, you'd have to check the user manual or ask the community.
Very interesting. I wonder if Fedora is starting to ship a kernel with that feature disabled.
I'm currently just trying to get the --no-sandbox option added to the desktop entry and having a terrible time, but I'm sure I can hack it.
Confirmed, Chromium does indeed throw that error - their suggested workarounds do not seem to change that feature being disabled work great, but I could just be messing it up somehow. Regardless, I'm not too worried; if you're not concerned with this, I would have no problem if you closed the issue since --no-sandbox is fine.
Depending on how Fedora built their kernel, unprivileged userns might be a setting that you can change, for example on Ubuntu it's a setting you can change via sudo systemctl
I think. If they totally disabled it at build time then you can't really do anything about that, but if you can just quickly toggle it then that's probably the easiest way to go about it.
Glad I could help anyway.
I can't find anything with this error message, posting this issue is my last resort :)