Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FATAL Unable to start riot 1.3.2 after upgrade #10509

Closed
532910 opened this issue Aug 6, 2019 · 29 comments

Comments

@532910
Copy link
Contributor

commented Aug 6, 2019

% riot-web 
[19945:0806/110917.237662:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Riot/chrome-sandbox is owned by root and has mode 4755.
% l /opt/Riot/chrome-sandbox 
-rwxr-xr-x 1 root root 5.0M 2019-08-05 17:15 /opt/Riot/chrome-sandbox*
% apt policy riot-web 
riot-web:
  Installed: 1.3.2
  Candidate: 1.3.2
  Version table:
 *** 1.3.2 500
        500 https://packages.riot.im/debian sid/main amd64 Packages
        100 /var/lib/dpkg/status

@532910 532910 added the bug label Aug 6, 2019

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 6, 2019

What was the version you upgraded from?

@jryans jryans added support type:electron and removed bug labels Aug 6, 2019

@532910

This comment has been minimized.

Copy link
Contributor Author

commented Aug 6, 2019

1.3.0 IIRC

@SISheogorath

This comment has been minimized.

Copy link

commented Aug 6, 2019

Same problem appears on flatpak: flathub/im.riot.Riot#59

And I was able to reproduce the issue locally as well. I wonder if we can do anything to help here.

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 6, 2019

We did upgrade to Electron 5 as part of the recent release, so it could be related to this.

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 6, 2019

It seems related to this issue reported to electron-builder. I see some workarounds suggests to run Electron with --no-sandbox, but I am not sure the best to apply that. Could someone affected try some of the workarounds mentioned there?

@532910

This comment has been minimized.

Copy link
Contributor Author

commented Aug 6, 2019

% riot-web --no-sandbox works

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 6, 2019

Looking at the related Electron issue, what about if you do:

$ sudo sysctl kernel.unprivileged_userns_clone=1

and then test running riot-web without any special sandbox options? This enables an OS feature called CLONE_NEWUSER, you can read more about it.

The above sysctl setting is the default on Ubuntu 18.04, but it may not be enabled on your distro.

@532910

This comment has been minimized.

Copy link
Contributor Author

commented Aug 6, 2019

yes, it works with kernel.unprivileged_userns_clone=1. Looks like it's 0 by default on debian systems.

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 6, 2019

Okay, it's good to know there are several possible approaches to get Riot working. This seems to be something that would affect any app using Electron 5 or later.

We'll keep watching the Electron packaging tools for any news on the right way to bake in a workaround for this issue, but for now I would suggest using one of the workarounds mentioned above.

@jryans jryans added p1 upstream-issue bug and removed support labels Aug 6, 2019

@aaronraimist

This comment has been minimized.

Copy link
Contributor

commented Aug 6, 2019

@jryans see electron/electron#17972 (comment). This is intentional.

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 6, 2019

I understand that. It's possible the Electron packing tools may add more helpers to smooth over the situation though, and that's what we can watch out for.

@aaronraimist

This comment has been minimized.

Copy link
Contributor

commented Aug 6, 2019

It says

You must ensure that your distributed packages to set the appropriate permissions. Most tools (at least electron-builder, electron-installer-snap, electron-installer-debian, and electron-installer-redhat) support this automatically and require no configuration from the developer.

and I believe Riot is using Electron-builder so presumably Riot is just using an old version that doesn’t have this, so we should update

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 6, 2019

The related electron-builder issue suggests it's only fixed for snaps, so the full status is unclear. But anyway, it's something to try.

@gerroon

This comment has been minimized.

Copy link

commented Aug 6, 2019

I have the same issue with Debian Repo and Flatpak installs

riot-web 
[25601:0806/091123.244387:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Riot/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap
@croulibri

This comment has been minimized.

Copy link

commented Aug 6, 2019

I face exactly the same situation as @gerroon !

@SISheogorath

This comment has been minimized.

Copy link

commented Aug 6, 2019

@croulibri For Flathub I decided to rollback to 1.3.0 until we found a usable solution, I'll experiment with the disabled sandbox. It's a general hot topic that various electron apps are facing right now.

@quazgar

This comment has been minimized.

Copy link

commented Aug 7, 2019

Would this work as a workaround?

sudo chmod +s /opt/Riot/chrome-sandbox
@gerroon

This comment has been minimized.

Copy link

commented Aug 7, 2019

@ quazgar that would not work for the Flathub install.

@gerg5c42g542g2c54g52c

This comment has been minimized.

Copy link

commented Aug 8, 2019

Why isn't this fixed yet?! I couldn't contact my mom because of this! And why is disabling sandbox suggested?

See for workaround: electron/electron#17972

@t3chguy

This comment has been minimized.

Copy link
Collaborator

commented Aug 8, 2019

@gerg5c42g542g2c54g52c because the workaround has to be implemented in electron-builder
No way to implement it at the riot level without forking electron builder

@croulibri

This comment has been minimized.

Copy link

commented Aug 11, 2019

On Debian Buster, with Riot from Riot repository, doing
sudo sysctl kernel.unprivileged_userns_clone=1
solves the problem.
The upgrade to 1.3.2. works.

Thanks @jryans

@croulibri

This comment has been minimized.

Copy link

commented Aug 12, 2019

But I have to do
sudo sysctl kernel.unprivileged_userns_clone=1
after every reboot :-(
I there a more sustainable way?

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 12, 2019

You can make it persist across reboots by editing /etc/sysctl.conf.

@abeluck

This comment has been minimized.

Copy link
Contributor

commented Aug 16, 2019

So without the hacky sysctl workaround, riot-web is broken on Debian right now?

Just rebooted and discovered I couldn't open riot :/

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 16, 2019

As I understand it, this would affect any application using Electron 5 or later.

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 16, 2019

As a summary of the current state, on distros like Debian which disable CLONE_NEWUSER for unprivileged users, there are two possible workarounds:

  1. You can decide to trust the user namespacing API and allow it for unprivileged users via sudo sysctl kernel.unprivileged_userns_clone=1 and / or persisting in /etc/sysctl.conf
  2. You can decide to trust the Electron distributed with Riot only by running sudo chmod 4755 /opt/Riot/chrome-sandbox

Trusting a specific app (2) instead of an entire API (1) seems like a smaller trust surface. It looks like the Chrome team considers considers user namespaces to be the modern way forward, but if some key distros like Debian disagree, then applications are sort of stuck in the middle like this.

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 16, 2019

I think I see a path forward by tweaking electron-builder... Let's see how it takes. 😅

@jryans jryans self-assigned this Aug 16, 2019

@jryans jryans added this to In Progress in Workflow via automation Aug 16, 2019

jryans added a commit that referenced this issue Aug 16, 2019

Upgrade electron-builder to 21.2.0
This is meant to help with:

* macOS packaging for Electron 6 (#10473)
* Linux desktop file should not have quotes (#6421)

It did not help with:

* Linux sandbox for Electron 5 (#10509)

Fixes #6421
Part of #10473

@jryans jryans moved this from In Progress to In Review in Workflow Aug 16, 2019

@jryans jryans moved this from In Review to In Progress in Workflow Aug 16, 2019

jryans added a commit that referenced this issue Aug 16, 2019

Set SUID bit on chrome-sandbox for Debian
This tweaks Linux packages for Riot to SUID `chrome-sandbox` after install. This
is required as of Electron 5 for certain distros, such as Debian.

This change has also been provided to `electron-builder` upstream, so ideally
they'll include it in the future and this becomes redundant.

Fixes #10509

@jryans jryans moved this from In Progress to In Review in Workflow Aug 16, 2019

Workflow automation moved this from In Review to In Test Aug 16, 2019

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 16, 2019

Riot now includes the SUID approach on develop, and it will be included in the next release.

RiotRobot added a commit that referenced this issue Aug 16, 2019

Set SUID bit on chrome-sandbox for Debian
This tweaks Linux packages for Riot to SUID `chrome-sandbox` after install. This
is required as of Electron 5 for certain distros, such as Debian.

This change has also been provided to `electron-builder` upstream, so ideally
they'll include it in the future and this becomes redundant.

Fixes #10509

@jryans jryans moved this from In Test to In RC in Workflow Aug 16, 2019

@jryans

This comment has been minimized.

Copy link
Member

commented Aug 16, 2019

This has now been released as Riot 1.3.3 for Linux only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
10 participants
You can’t perform that action at this time.