Packaging Electron v5 with sandbox (linux) #3872
Comments
|
Can't the old behavior be resolved by specifying Seems like it could be a viable workaround. I've disabled our snaps for now but would be nice to have a workaround. |
|
sandbox: false doesn't seem to fix thigns. I still get: "Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted |
|
This might be possible if we pass --no-sandbox to the electron command line but I can't figure out how to set this in electron-builder. |
|
To my knowledge, as of now, one can not disable the sandbox/sandbox-helper with an electron builder configuration. @burtonator see the initial comment for the workaround I chose to use for snaps and AppImage builds, (afterPack hook/electron wrapper script). An electron-builder build-option to disable/configure the sandbox would be better, but until the situation is resolved I'll use the workaround. |
|
I implemented a hack where I renamed the main script to myapp.bin and then added the --no-sandbox argument manually and it worked fine. Not pretty but at least we have code pushed! |
|
@burtonator i resolved with this solution, but the problem is now, that we get 2 icons instead of 1 and is exactly because we use the |
|
|
|
@p3x-robot this is probably OS related as I don't have such issue with Xfce nor with Ubuntu 19.04, you can try the app yourself https://github.com/vladimiry/ElectronMail/releases (AppImage / Snap packages). |
|
would you mind show if works with p3x-onenote? |
|
@vladimiry it shows exactly because of this, if you have a bottom bar with icons, like shortcuts, it will show 2 icons, which is ugly, many distros have this shortcuts (not in the menu...) and it only happens on
|
|
still an ugly hack. not 100% |
|
@p3x-robot what is that panel at the bottom (how do I enable it)? |
|
@vladimiry this is linux mint applet panel for the menu, for now i removed and run from the menu, but you have the same issue and everyone. it is still a proper solution, about 90%. it is sure that if you use a shortcut instead from menu, it will appear twice any distro i think. I got 2 electron apps, same issue.
|
Which edition of Linux Mint (Cinnamon, Mate, Xfce)? |
|
@vladimiry Linux Mint 19.1 Cinnamon, the most used |
|
I don't believe it depends on the no-sandbox option but is related to the OS/panel setup and the way bash/sh preloader-like script used. Going to reproduce the issue first. |
|
@vladimiry well, you are right, but v4 works with 1 icon as it is supposed, with v5 it only works with the |
|
@vladimiry weird bug |
|
Try running the AppImage without sh/bash preloader but with |
|
@vladimiry yeah it works passing the |
|
the only problem is, how can i upload to github as i used to flag |
|
I stopped publishing the packages to GitHub by electron-builder for a list of reasons. There might be some hook/event in between building the package and uploading it, but I'm not aware of it. |
|
it works: rm -rf dist && electron-builder --ia32 --x64 --linux && electron-builder -p alwaysit builds it, it uses |
|
i cannot upload, what do you use to upload releases and tags in github? i see in github-api to create a release, but how can i upload the files ? |
|
i can create a tag via github-api, my only problem is that when i it auto upload tries to itself the sha512 sum are wrong, here, as i changed the file, how can is calcaulte? it is not even sha512sum, but some base64: |
|
|
|
i had to generate the sha512 as well, but i fixed , i am on electron 6 and all perfect! |
|
if anyone is interested in fix the AppImage adding the |
|
besides it is an |
|
actually i moved in the builder into its own microservice, so it is like this: and the package.json: {
"name": "p3x-onenote",
"version": "2019.10.281",
"description": "📚 P3X OneNote Linux",
"main": "src/electron/app.js",
"corifeus": {
"snap": true,
"prefix": "p3x-",
"publish": true,
"type": "p3x",
"code": "Linux",
"nodejs": "v12.7.0",
"opencollective": true,
"reponame": "onenote",
"build": true
},
"bin": {
"p3x-onenote": "bin/p3x-onenote.js"
},
"scripts": {
"test": "grunt",
"build": "electron-builder --ia32 --x64 build/dist",
"build-test": "electron-builder build/dist -p always",
"postinstall": "opencollective postinstall",
"start": "node ./node_modules/.bin/electron ./src/electron/app.js",
"publish-electron": "rm -rf dist && electron-builder -p onTagOrDraft --ia32 --x64 --linux",
"publish-electron-snap": "electron-builder --linux snap -p never",
"publish-electron-yml": "node ./node_modules/corifeus-builder/src/utils/appimage/post-build.js"
},
"repository": {
"type": "git",
"url": "git+https://github.com/patrikx3/onenote.git"
},
"keywords": [
"onenote",
"linux"
],
"author": "Patrik Laszlo <[email protected]>",
"license": "MIT",
"bugs": {
"url": "https://github.com/patrikx3/onenote/issues"
},
"homepage": "https://pages.corifeus.com/onenote",
"dependencies": {
"@fortawesome/fontawesome-free": "^5.10.1",
"angular": "^1.7.8",
"angular-animate": "^1.7.8",
"angular-aria": "^1.7.8",
"angular-material": "^1.1.19",
"angular-messages": "^1.7.8",
"configstore": "^4.0.0",
"corifeus-utils": "^2019.10.140",
"electron-updater": "^4.1.2",
"jquery": "^3.4.1",
"opencollective": "^1.0.3",
"semver": "^6.3.0",
"typeface-roboto": "0.0.75"
},
"devDependencies": {
"angular-mocks": "^1.7.8",
"corifeus-builder": "^2019.10.223",
"electron-builder": "^21.2.0",
"escape-string-regexp": "^2.0.0",
"fs-extra": "^8.1.0",
"github-api": "^3.2.2",
"globby": "^10.0.1",
"jsdom": "^15.1.1",
"yaml": "^1.6.0"
},
"build": {
"afterAllArtifactBuild": "./node_modules/corifeus-builder/src/utils/appimage/after-all-artifact-build.js",
"publish": [
{
"provider": "github",
"owner": "patrikx3",
"repo": "onenote"
}
],
"appId": "p3x.onenote",
"copyright": "MIT",
"productName": "P3X OneNote",
"linux": {
"category": "Office",
"icon": "src/electron/images/",
"target": [
"AppImage"
]
},
"snap": {
"environment": {
"DISABLE_WAYLAND": 1
}
}
}
}a publish is like this #!/usr/bin/env bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
TOP=$DIR/..
pushd $TOP
grunt
export GH_TOKEN=$(cat $DIR/token.txt)
npm run publish-electron
npm run publish-electron-yml
npm run publish-electron-snap
export VERSION=$($DIR/get-version.js)
SNAP_FILE=p3x-onenote_${VERSION}_amd64.snap
pushd dist
####snapcraft login
snapcraft push --release=beta $SNAP_FILE |
Add SUID bit to packaged `chrome-sandbox` so that it works out of the box on distros like Debian. Part of electron-userland#3872
Add SUID bit to packaged `chrome-sandbox` so that it works out of the box on distros like Debian. Part of #3872
The Snap case was handled months ago, ref https://github.com/electron-userland/electron-builder/blame/fc311995c196f1063ceb2d0bb0af61beac6038e8/packages/app-builder-lib/src/targets/snap.ts#L188 |
|
Thanks. (Snap won't install on my machine, so I haven't been able to test.) It sounds like the problem is now just limited to AppImage installations. |
With electron 5 the sandbox is enabled by default. The sandbox requires elevated rights to run.
This can be achieved if the kernel has
kernel.unprivileged_userns_cloneenabled or a SUID flag is set onchrome-sandbox.If
unprivileged_userns_cloneis disabled (default for Arch) the SUID-flag is required.To disable / enable said kernel feature:
Snaps cannot use the SUID flag (automatic app review) and seem to prevent access to the kernel feature.
One can disable the sandbox by running electron with the
--no-sandboxargument.As a workaround, I currently use an after-pack hook to wrap the electron binary and append the
--no-sandboxargument, which seemed to be to be the only way to add the sandbox argument. (app.commandLine.appendSwitchdoes not work since electron has already launched)https://github.com/thomasnordquist/MQTT-Explorer/blob/master/scripts/afterPack.ts
Electron issue concerning this: electron/electron#17972
The text was updated successfully, but these errors were encountered: