Cannot run neovim appimage (Linux Lite)

Question

Cannot run neovim appimage (Linux Lite)

Rosika2 opened this issue a month ago · comments

Hi all, 👋

my system is Linux Lite 6.2 and my firejail version is 0.9.72.

Alas I face issues when trying to run neovim as an appimage in firejail. 😞
I did the following:

I downloaded the file nvim.appimage from github and also checked the sha256 sum. It´s perfectly alright. Now I tried to run it in firejail:

firejail --appimage ./nvim.appimage

but somehow it didn´t work as expected. I just got this:

firejail --net=none --appimage ./nvim.appimage
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

Parent pid 17634, child pid 17636

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Child process initialized in 424.30 ms

Nothing more. Finally I aborted with ctrl+C:

^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...
Vim: Caught deadly signal 'SIGTERM'

Vim: Finished.

Parent is shutting down, bye...

AppImage detached

Curiously it worked as expected in my Debian virtual machine:

firejail --appimage ./nvim.appimage                             
Mounting appimage type 2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc                                            
Reading profile /etc/firejail/disable-passwdmgr.inc                                         
Reading profile /etc/firejail/disable-programs.inc                                          
Warning: networking feature is disabled in Firejail configuration file                      

** Note: you can use --noprofile to disable default.profile **                              

Parent pid 3219, child pid 3231

**     Warning: dropping all Linux capabilities     **                                      
Child process initialized in 449.33 ms

Parent is shutting down, bye...
AppImage unmounted

No problems there.
And it provides the neovim output as it´s supposed to be. The only difference I could spot is Linux Lite and Debian are using two different versions of firejail.

Debian: firejail version 0.9.58.2 and Linux Lite: 0.9.72.

So it seems the newer version introduces some problems with regard to the neovim appimage?

What might be amiss here ❓

Many thanks in advance for your help...
... and many greetings from Rosika 🙂

glitsj16 · Answer 1 · Mon Apr 22 2024 03:46:25 GMT+0800 (China Standard Time)

Reading profile /etc/firejail/default.profile

AppImages need special care in Firejail. Besides the --appimage option you'll need to add --profile=nvim to use its dedicated profile.

Warning: networking feature is disabled in Firejail configuration file

FYI: disabling networking in /etc/firejail/firejail.config might not pose a problem for neovim, but will obviously break other applications (e.g. curl, firefox, git, wget etcetera). Which is why it's enabled in /etc/firejail/firejail.config by default.

The actual question that springs to mind when first reading your issue is why you're using an AppImage in this context. Any particular reason why you're not installing/using neovim from your distro repositories (via apt)?

Debian: firejail version 0.9.58.2 and Linux Lite: 0.9.72.

Update your Debian VM, 0.9.58.2 is unsafe to use and no longer supported.

HTH

Rosika2 · Answer 2 · Mon Apr 22 2024 20:51:46 GMT+0800 (China Standard Time)

Hi @glitsj16, 👋

thanks for your reply. ❤️

It hadn´t occurred to me to add the nvim profile parameter. Sorry.
Well, I did it now:
firejail --appimage --profile=nvim nvim.appimage
but I arrived at the same results as in my first post. No improvement there. 🤔

Any particular reason why you're not installing/using neovim from your distro repositories (via apt)?

Well, I never used neovim before but got interested in it.
Appimages provide a nice way of trying out the package without having to install it.

Update your Debian VM, 0.9.58.2

Right. I´ll do that. Thanks for the hint.
For what it´s worth, this way I realized that the appimage version used to work with an older version of firejail.

I was just curious about it.

Thanks for your help and for the links you provided.

Many greetings from Rosika 🙂

P.S.:

Here it says:

Sandboxing neovim

If you want to restrict what neovim can do on your system, you can run the AppImage in a sandbox like Firejail. This is entirely optional and currently needs to be configured by the user.

So, theoretically it could be done.
Unfortunaltely they weren´t much clearer on the "needs to be configured by the user" part

glitsj16 · Answer 3 · Tue Apr 23 2024 00:59:10 GMT+0800 (China Standard Time)

No improvement

Try commenting options line by line to find the one that's causing the breakage. Several profiles disable private-dev for AppImages, so you can start there via --ignore=private-dev.

Rosika2 · Answer 4 · Tue Apr 23 2024 21:26:46 GMT+0800 (China Standard Time)

Hi @glitsj16, 👋

thanks for your help.

Yet I´m sorry to say there was no improvement. 😞
I commented all options one by one but nothing helped. I always arrived at the same result as pointed out in my first post.

Seems like firejail version 0.9.72 won´t handle neovim appimage anymore.

Still: thanks so much for your time and help. ❤️

Many greetings from Rosika 🙂

glitsj16 · Answer 5 · Tue Apr 23 2024 22:05:42 GMT+0800 (China Standard Time)

Hi @Rosika2,

Seems like firejail version 0.9.72 won´t handle neovim appimage anymore.

That's not what I'm seeing here. I've just downgraded my firejail installation to 0.9.72, downloaded the nvim.appimage from https://github.com/neovim/neovim/releases and that runs fine via firejail.

I'm not familiar with Linux-Lite, but it might have a glibc that's incompatible with your specific nvim.appimage. Check minimal requirements on https://github.com/neovim/neovim for AppImage support, and your OS support for glibc issues.

Rosika2 · Answer 6 · Tue Apr 23 2024 22:38:38 GMT+0800 (China Standard Time)

Hi @glitsj16, 👋

thanks for your latest help.

I've just downgraded my firejail installation to 0.9.72, downloaded the nvim.appimage [...]

Oh dear. I didn´t want to cause you so much work. I´m almost feeling a bit bad about it. So sorry. 😞

But it turns out your instinct led you in the right dircection.
It really seems that Linux Lite is to blame.

To verify it I just copied nvim.appimage from my host (Linux Lite 6.2) to my other virtual machine (Archlinux).
It runs the same version of firejail as my host: 0.9.72.
Here I entered firejail --appimage --profile=nvim nvim.appimage and it runs perfectly:

ading profile /etc/firejail/nvim.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Parent pid 845, child pid 846

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 244.70 ms

Parent is shutting down, bye...
AppImage detached

Absolutely no problem, and I got the right interface.
On Linux Lite I guess I´d have to install neovim then. I suppose that won´t introduce the problems the appimage version does.

I´m really sorry to have bothered you with the issue.
I hope you don´t mind.

Thanks a lot for your help. ❤️
Have a nice day and cheers from Rosika. 🙂

glitsj16 · Answer 7 · Tue Apr 23 2024 23:08:40 GMT+0800 (China Standard Time)

Oh dear. I didn´t want to cause you so much work. I´m almost feeling a bit bad about it. So sorry.

That's quite allright. Switching between stable and git happens regularly when assisting users on issues.

On Linux Lite I guess I´d have to install neovim then. I suppose that won´t introduce the problems the appimage version does.

Indeed, I think that's your best option on Linux Lite.

No need to apologize really. Nothing got broken by temporarily downgrading firejail here. Comes with the turf ;)

Likewise, have a nice day and happy firejailing :-)

Rosika2 · Answer 8 · Tue Apr 23 2024 23:19:45 GMT+0800 (China Standard Time)

Thanks @glitsj16 for your kind words. ❤️

Your help is always welcome and much appreciated.

Have a nice day and many greetings from Rosika 🙂

Kelvin M. Klann · Answer 9 · Wed Apr 24 2024 12:29:23 GMT+0800 (China Standard Time)

@Rosika2 on Apr 23:

On Linux Lite I guess I´d have to install neovim then. I suppose that
won´t introduce the problems the appimage version does.

Does installing neovim directly works?

If not, can you test whether the appimage works without firejail?

Would be interesting to know if the issue is that firejail is incompatible with
appimages in that distribution.

Rosika2 · Answer 10 · Wed Apr 24 2024 22:45:07 GMT+0800 (China Standard Time)

@kmk3 :

Hi Kelvin, 👋

thanks for your comment.

I actually installed neovim on my system today.
In order to get the newer version than the one the official repo provides I did it thus:

sudo add-apt-repository ppa:neovim-ppa/stable -y
sudo apt update
sudo apt install neovim

And indeed it works the desired way. No problems there. 👍

Firetool stats says:

Command: firejail nvim
Profile: /etc/firejail/nvim.profile

Cheers from Rosika 🙂