transformerlab
When installing on Ubuntu 24.04 server, appimage doesn't launch.
(base) smhanov@megos:~/Applications$ ./Transformer-Lab-0.6.1_5e99536bedd26661b13e868ed1b86bca.AppImage [523892:1106/191201.202261:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_TransfJ4qEua/chrome-sandbox is owned by root and has mode 4755.
I need to start it with the --no-sandbox option and then it works:
./Transformer-Lab-0.6.1_5e99536bedd26661b13e868ed1b86bca.AppImage --no-sandbox
Facing the same. It seems to be an issue with all electron based apps, which apparently is due to the apparmor package.
Current fix is either the --no-sandbox flag or running sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 (however I dont know the implications of this command).
But it seems that the next version of Electron will fix this issue? I would suggest to the developers to keep an eye to update to the newest electron when it comes out, or add this as a FAQ somewhere.
Thanks for finding that mention about Electron @Kostis-S-Z I will keep an eye out for the next v26 build. It looks like they publish builds every month https://www.npmjs.com/package/electron-builder?activeTab=versions
Still waiting for this fix in electron. Added a note to the docs about --no-sandbox for now.
@aliasaria @dadmobile @smhanov There is a better solution instead of disabling the benefits of sandboxing~
to understand the issue, it's that Ubuntu 23.XX and higher versions implemented a stricter security model through AppArmor that specifically targets unprivileged user namespaces2.
you can review the full article
For a complete understanding of this issue, including technical details, implementation specifics, you can take a look at:
For a more direct practical solutions and safest options, you can take a look at:
Basically the issue happens because AppImages are FUSE-mounted with nosuid, this prevents any set-UID helper from running~
Ubuntu’s default AppArmor policy also disallows unprivileged user namespaces
so now as mentioned the AppImage can use neither the kernel userns nor the setuid sandbox. In short, on Ubuntu 23.++ an electron AppImage is trapped: it's chrome-sandbox can’t be made set-UID on the FUSE mount, and userns is blocked (unless you add a custom AppArmor profile to allow it as mentioned in the blog based on askubuntu.com).
By contrast, the .tar.gz release is simply unpacked onto a normal filesystem (e.g. /opt/void). This means its chrome-sandbox binary is on an ordinary ext4 (or similar) partition, not under a FUSE nosuid mount. A packager or user can then run:
sudo chown root:root /opt/void/chrome-sandbox
sudo chmod 4755 /opt/void/chrome-sandbox
– granting it the correct owner and set-UID bit. Once the helper is root-owned, and correct permissions are set the Chromium sandbox should run as intended. Because the tar.gz's files aren’t subject to AppImage/AppArmor quirks and stuff, the sandbox must work normally after this fix
and ofc (No special AppArmor profile is needed for the tar install, unlike the AppImage case)
Hi, Just following up here, we've now moved to using the web version of the app for Linux. Instructions here: https://transformerlab.ai/docs/install/install-on-linux Once you have api running you can just go to localhost:8338 in your browser and everything should run!
