Not Able to install the AppImage

[rikirenz]

Describe the bug
I am not able to install the application on Linux CERN CentOS 7

To Reproduce
Steps to reproduce the behavior:

1. Download the package: cern-phone-app-0.5.4-x86_64-linux.AppImage
2. Make it executable
3. Run it using: ./cern-phone-app-0.5.4-x86_64-linux.AppImage
4. And you get this error:

[3385:1001/094549.397285:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/rcandido/.mount_cern-pBp3Bst/chrome-sandbox is owned by root and has mode 4755.
[1]    3385 trace trap (core dumped)  ./cern-phone-app-0.5.4-x86_64-linux.AppImage

Expected behavior
I should be able to install it

Desktop (please complete the following information):

• OS: CentOS Linux
• Version: 7.5.1804 (Core)
• App Version: cern-phone-app-0.5.4-x86_64-linux

Additional context

• I have tried to give full access to the file using chmod 777 cern-phone-app-0.5.4-x86_64-linux.AppImage
• I have tried to run it using SUDO
• I follow this tutorial because I did not know this application format: https://itsfoss.com/use-appimage-linux/

[probonopd]

What happens if you start it with ./cern-phone-app-0.5.4-x86_64-linux.AppImage --no-sandbox?

And what happens if you enable unprivileged access to CLONE_NEWUSER in your kernel using sudo sysctl kernel.unprivileged_userns_clone=1 and then start it with ./cern-phone-app-0.5.4-x86_64-linux.AppImage?

[renefs]

We've just made some tests and with ./cern-phone-app-0.5.4-x86_64-linux.AppImage --no-sandbox should work fine. It is a workaround, not a perfect solution, but we need to investigate more here. In fact, in Ubuntu works fine, so our guess is that is something related with the OS

[probonopd]

Yes, many systems including Ubuntu set sudo sysctl kernel.unprivileged_userns_clone=1 by default. As a result, the Chrome sandbox does not need root privileges on those systems.

[probonopd]

If you want to go the --no-sandbox route, you can use a custom AppRun bash script inside the AppImage that would call the main executable with --no-sandbox so that the user does not have to.

[renefs]

@probonopd I'm not very familiar with this kind of things. Do you have any examples of how can this be done?

[probonopd]

# Download AppImage and appimagetool and make them executable
wget -c "https://github.com/cern-phone-apps/desktop-phone-app/releases/download/v0.5.4/cern-phone-app-0.5.4-x86_64-linux.AppImage"
wget -c "https://github.com/AppImage/AppImageKit/releases/download/12/appimagetool-x86_64.AppImage"
chmod +x *.AppImage

# Extract the AppImage in order to be able to edit its contents
./cern-phone-app-0.5.4-x86_64-linux.AppImage --appimage-extract

# Patch the call in the bash script that executes the main application, add "--no-sandbox"
sed -i -e 's|"$BIN"|"$BIN" --no-sandbox|g' squashfs-root/AppRun

# Fix desktop file
sed -i -e 's|^Icon=.*|Icon=cern-phone-app|g'  squashfs-root/cern-phone-app.desktop

# Repack AppImage
export VERSION=$(ls cern-phone-app-0.5.4-x86_64-linux.AppImage | cut -d "-" -f 4)
./appimagetool-x86_64.AppImage squashfs-root/

# Verify that it runs
./CERN_Phone_App-x86_64.AppImage 

[renefs]

Thank you @probonopd for your help. We are going to give it a try and check if we can implement this on our release workflow. My guess is that other Electron apps must be also doing this somehow

[probonopd]

Other Electron apps may also be running into the same issue, but possibly more of your users are running a distribution that does not allow unprivileged access to CLONE_NEWUSER in the kernel by default than in the "general population". This issue does not appear on "mainstream" distributions such as Ubuntu, because the allow unprivileged access to CLONE_NEWUSER in the kernel by default.

[renefs]

Currently we are trying to use Docker in order to patch and repack the application, but we are getting:

root@d26451a5bfa2:~# ./appimagetool-x86_64.AppImage squashfs-root/
fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage
if you run it with the --appimage-extract option.
See https://github.com/AppImage/AppImageKit/wiki/FUSE
for more information
open dir error: No such file or directory

So we are trying to fix this error. Once it's done, we will be able to repack the app and make it fully compatible with Centos 7 :)

[probonopd]

You did read the linked page, did you? ;-)

When running an AppImage from a Docker container you may get errors

Just do: ./appimagetool-x86_64.AppImage squashfs-root/ --appimage-extract-and-run