add bwrap Apprun

[Jo-Blade]

This is a try to create a new Apprun using bwrap and without doing chroot.
It needs bubblewrap to be installed on the machine that will run the AppImage.

It allows all files from the root folder to be visible inside the appimage. For example, vim can now load plugins or run LSP server installed outside the AppImage.

However, if /nix already exist on the computer, it will be replaced inside the bwrap sandbox by the /nix of the AppImage. So it's not meant to be used in nixos or any computer with nix already installed.

I didn't tested, but normally bwrap don't prevent to create user namespaces (related to #10 ), so you should be able to run chromium or any electron apps. However you may still need nixGL for opengl related things.

The apprun is written in bash and can probably be improved, I'm open to suggestions and thank you for your incredible project !

[ralismark]

I'll have a proper review later, but for now:

It needs bubblewrap to be installed on the machine that will run the AppImage.

I would consider this a dealbreaker. You might be able to avoid this requirement by bundling bwrap by doing cp ${bubblewrap}/bin/bwrap $out/bwrap.

However, if /nix already exist on the computer, it will be replaced inside the bwrap sandbox by the /nix of the AppImage. So it's not meant to be used in nixos or any computer with nix already installed.

If you bind mount all the individual nix/store/* entries instead of just /nix you might be able to get around this? But you might hit argument count limits.

[Jo-Blade]

It needs bubblewrap to be installed on the machine that will run the AppImage.

I would consider this a dealbreaker. You might be able to avoid this requirement by bundling bwrap by doing cp ${bubblewrap}/bin/bwrap $out/bwrap.

Yes I agree. But don't we need to build bubblewrap statically to make it to work ? I just need to verify that bwrap don't need to install any setuid binary on the host. But it should be possible to overcome this requirement. I'll try this later

If you bind mount all the individual nix/store/* entries instead of just /nix you might be able to get around this? But you might hit argument count limits.

Yes it should work but I don't like this idea. The /nix/store can have hundreds of entries so it will probably cause a big performance hit in the best case. The solution for me should be to develop a fuse filesystem just for this usecase.

But honestly I'm not sure it's very interesting to fix this issue... I mean, if the /nix folder already exist, we should probably don't need bwrap at all and do a specific Apprun. Moreover, is there really a usecase of using this project if nix is installed yet on the target machine ?

[Jo-Blade]

Ah and I don't know if you looked to https://github.com/DavHau/nix-portable yet ? I didn't looked at the source code for now to make this PR, but they use similar techniques as I know

[Jo-Blade]

I just pushed a new commit to include a statically linked bwrap binary in the appimage. It should no longer be necessary to install bubblewrap on the target system. Please report if you experiment any bug.

I did nothing about the hidden nix/store issue in the appimage. You're still unable to run any nix program inside the appimage mount namespace. As stated before, I don't think it's a major issue as to my mind this project targets mainly systems where nix is not installed