Electron 6 app won't start: No usable sandbox! Update your kernel or see ...

[jonathon-love]

hi,

i've updated my flatpak electron application to use electron 6 (i think i was using 3), and my application no longer starts, producing the error:

[5:0307/114755.315980:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

i haven't been able to find any information on the best way to remedy this. any suggestions?

i'm org.jamovi.jamovi

with thanks

[TingPing]

Launch the application with zypak-wrapper, its part of this baseapp, it will run it inside a flatpak based sandbox.

[jonathon-love]

hi,

this doesn't seem to make a difference:

flatpak run --user --command=zypak-wrapper org.jamovi.jamovi /app/bin/electron

outputs:

[2:0310/191616.750397:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

any suggestions?

with thanks

[barthalion]

Does your distribution support unprivileged user namespaces?

[jonathon-love]

that i'm not sure of. it's linux mint 19 ...

[barthalion]

Hm, I think it should work fine on Ubuntu-based distributions. What are the outputs of sysctl kernel.unprivileged_userns_clone and cat /proc/sys/user/max_user_namespaces?

[jonathon-love]

here 'tis

$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
$ cat /proc/sys/user/max_user_namespaces
11749

one thing that potentially might make this more interesting is that io.atom.Atom does run on my computer (although, flatpak run io.atom.Atom exits straight away ... and then the atom window appears moments later, so they're doing something unusual).

with thanks

[jonathon-love]

this is my json file. pretty confident i'm doing everything right:

https://github.com/jonathon-love/org.jamovi.jamovi/blob/1.2.6/org.jamovi.jamovi.json

with thanks

[TingPing]

@barthalion The sandbox is spawned on the host by flatpak so I don't think unpriv namespaces is needed.

CC @refi64

[refi64]

You shouldn't need unprivileged user namespaces to work.

Based on the error message, I'm guessing this is the same thing that just happened in Unity Hub. Zypak works by redirecting faking chrome-sandbox SUID sandbox binary to actually use the Flatpak sandbox, but if chrome-sandbox doesn't exist, then there's nothing to redirect and this same check you just posted will fail. I recently updated the Zypak README to explain how to work around this by creating a stub chrome-sandbox binary; try that and see if it works.

(Side note: I do plan to handle this case without needing a stub binary later on, but when I last tried it was still failing when I overrode the access call to check the sandbox's existence and I didn't have time to look into it further atm.)