[bug] AppImage built in Docker container segmentation faults on startup

[samcday]

Describe the bug

I can't seem to produce a valid AppImage build from inside a Docker container. I've tried with legacy Docker, BuildKit Docker, and I've tried using ubuntu:focal, rust:1-bookworm, rust:1-buster Docker Hub images. In every case, the produced image segfaults immediately on startup.

My host system is a fully up to date Arch install, and I've also confirmed the same behaviour on my Steam Deck (which is also an Arch derivative).

Reproduction

$ cargo create-tauri-app -y --template vanilla broken-docker

$ cd broken-docker

$ sed -i 's/com.tauri.dev/foo/' src-tauri/tauri.conf.json

$ cat > Dockerfile.build <<HERE
FROM ubuntu:focal

RUN export DEBIAN_FRONTEND=noninteractive; apt update && \
    apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev librsvg2-dev patchelf curl build-essential wget

RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
ENV PATH="/root/.cargo/bin:${PATH}"
RUN rustup target add wasm32-unknown-unknown

RUN cargo install tauri-cli

COPY src /src/src/
COPY src-tauri /src/src-tauri/

WORKDIR /src

RUN cargo tauri build --verbose
HERE

$ docker build -t broken -f Dockerfile.build .

$ docker run --rm -it broken cat /src/src-tauri/target/release/bundle/appimage/broken-docker_0.0.0_amd64.AppImage > /tmp/foo

$ file /tmp/foo
/tmp/foo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, stripped

$ chmod +x /tmp/foo

$ /tmp/foo
[1]    60487 segmentation fault (core dumped)  /tmp/foo

$ coredumpctl debug /tmp/foo          
           PID: 60487 (foo)
           UID: 1000 (sam)
           GID: 1000 (sam)
        Signal: 11 (SEGV)
     Timestamp: Sun 2024-02-25 14:34:12 CET (1min 0s ago)
  Command Line: /tmp/foo
    Executable: /tmp/foo
 Control Group: /user.slice/user-1000.slice/user@1000.service/app.slice/app-dbus\x2d:1.4\x2dorg.gnome.Console.slice/vte-spawn-ab25cedd-5b5a-43c1-b48f-85f0e3934288.scope
          Unit: user@1000.service
     User Unit: vte-spawn-ab25cedd-5b5a-43c1-b48f-85f0e3934288.scope
         Slice: user-1000.slice
     Owner UID: 1000 (sam)
       Boot ID: e85e0984ed0840aea6d76dafcf1b37e9
    Machine ID: e58638df1a66408cb4afb78364a734c8
      Hostname: sam-desktop
       Storage: /var/lib/systemd/coredump/core.foo.1000.e85e0984ed0840aea6d76dafcf1b37e9.60487.1708868052000000.zst (present)
  Size on Disk: 12.1K
       Message: Process 60487 (foo) of user 1000 dumped core.

                Stack trace of thread 60487:
                #0  0x0000723fa88c77c4 n/a (/usr/lib/ld-linux-x86-64.so.2 + 0x1e7c4)
                #1  0x0000723fa88c4583 n/a (/usr/lib/ld-linux-x86-64.so.2 + 0x1b583)
                #2  0x0000723fa88c5d6e n/a (/usr/lib/ld-linux-x86-64.so.2 + 0x1cd6e)
                #3  0x0000723fa88c4b68 n/a (/usr/lib/ld-linux-x86-64.so.2 + 0x1bb68)
                ELF object binary architecture: AMD x86-64

GNU gdb (GDB) 14.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
"/tmp/foo": not in executable format: file format not recognized
[New LWP 60487]

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.archlinux.org>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
Core was generated by `/tmp/foo'.                                                                                                                                                                                     
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000723fa88c77c4 in ?? ()
(gdb) bt
#0  0x0000723fa88c77c4 in ?? ()
#1  0x0000000000000000 in ?? ()

Expected behavior

An AppImage produced from a ubuntu:focal container can be run on other Linux systems.

Full tauri info output

$ docker run --rm -it broken cargo tauri info                                                                               
WARNING: no lock files found, defaulting to npm

[✔] Environment
    - OS: Ubuntu 20.4.0 X64
    ✔ webkit2gtk-4.0: 2.38.6
    ✔ rsvg2: 2.48.9
    ✔ rustc: 1.76.0 (07dca489a 2024-02-04)
    ✔ cargo: 1.76.0 (c84b36747 2024-01-18)
    ✔ rustup: 1.26.0 (5af9b9484 2023-04-05)
    ✔ Rust toolchain: stable-x86_64-unknown-linux-gnu (environment override by RUSTUP_TOOLCHAIN)

[-] Packages
    - tauri [RUST]: 1.6.0
    - tauri-build [RUST]: 1.5.1
    - wry [RUST]: 0.24.7
    - tao [RUST]: 0.16.7
    - tauri-cli [RUST]: 1.5.10
    - @tauri-apps/api : not installed!
    - @tauri-apps/cli [NPM]: 1.5.10

[-] App
    - build-type: bundle
    - CSP: unset
    - distDir: ../src
    - devPath: ../src

Stack trace

No response

Additional context

No response

[samcday]

Figured it out. Running cargo tauri build during Docker build doesn't work. Removing that step from Dockerfile.build and then instead running docker run --rm -it image cargo tauri build works fine.

I'm very curious as to why this is, but I burned half a day on this problem. I'm not feeling adventurous enough to go exploring. I guess Docker build environment has some serious shenanigans going on behind the scenes.

If anyone should ever stumble on this and figures it out, I'd love to know! :)