New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Flatpak app inside Docker fails with: Could not connect: No such file or directory #5076
Comments
Running one container technology (like Flatpak) inside another container technology (like Docker) is generally problematic. Please describe exactly what you are doing, in terms of the precise Docker and Flatpak commands to get from a normal shell environment to the failing Flatpak command? It would probably be useful to try to reproduce this with a very simple, known-good Flatpak command like:
The successful result is that you get a shell in the container with a distinctive prompt like If that works, please start adding When you have reached a minimal failing command, please try running it as |
Also please try to put a title on issue reports so that there's some context. |
hi, thanks, this is really high quality advice/help. this is my minimal docker file which reproduces the error (note that no
sorry! my attention was captured by the big form to fill in, and i didn't notice the title at the top! with thanks |
I have the same issue with flatpak 1.14.0. The reason having it into a docker is, because in my case it runs in a CI to check the appdata file: |
Same thing here, I want to validate a metainfo XML in CI. Steps to reproduce:
This will result in:
Maybe the problem is that the dbus daemon is not started inside the Docker container (since it doesn't use an init system)? If yes, how could dbus be started in a way that flatpak is happy? |
@dbrgn I found a workaround for it: I used directly the appstream-util tool apt install --yes appstream-util |
For the record, this has also impacted the KDE project which builds a custom Docker image to assist with providing a Flatpak CI on our side. While installing many of the dependent Flatpak components we need works fine, io.qt.qtwebengine.BaseApp for some reason needs to connect to D-Bus as part of the installation process, which leads to us hitting this error. It would be nice if the Flatpak devs could eliminate calls out to the System Bus when the application in question isn't even being run - or at the very least make it clear why it is failing and not require the utilisation of strace to debug the issue. |
FWIW we work around this in our CI via:
(I did not write this, but it's a pretty short-and-sweet workaround.) IIRC this is due to the parental controls checks? |
Reading Line 8460 in be2de97
FLATPAK_SYSTEM_HELPER_ON_SESSION=foo in our Dockerfile and got a build passing: https://invent.kde.org/sysadmin/ci-images/-/merge_requests/99.
This looks like a parental check bypass but not sure. |
The parental controls stuff via libmalcontent is explicitly not a security boundary, either in Flatpak or in libmalcontent more generally: if a child who is subject to parental controls can run arbitrary code (as in arbitrary Unix shell commands), then it shouldn't come as a surprise to find that they can run arbitrary code (as in Flatpak apps they weren't meant to). After all, a sufficiently technically-proficient child with access to a command-line could compile their own copy of Perhaps a reasonable strategy would be to do some |
The test makes sense. We were also wary of enabling libmalcontent at all in freedesktop-sdk build of flatpak due to fear of complications. |
I mentioned this over here, but I think it might make sense to fail open all the time since you can just set However, I think if you wanted the more restrictive check like above, you could:
|
Currently if the parental controls check can't connect to the system bus, apps are not allowed to run. However, apps are also allowed to run if the malcontent (or accounts-service) D-Bus services aren't available. Since it's trivial to meet that requirement by starting a temporary dbus-daemon and setting `DBUS_SYSTEM_BUS_ADDRESS` to use it, not being able to access the system bus at all is no less secure. This primarily affects flatpak running in a container where D-Bus is generally not available. Fixes: flatpak#5076
I marked #5609 as fixing this issue, but that only affects running apps. If that approach is deemed acceptable, I can change the install path to do that too (basically in place of the |
Currently if the parental controls check can't connect to the system bus, apps are not allowed to run. However, apps are also allowed to run if the malcontent (or accounts-service) D-Bus services aren't available. Since it's trivial to meet that requirement by starting a temporary dbus-daemon and setting `DBUS_SYSTEM_BUS_ADDRESS` to use it, not being able to access the system bus at all is no less secure. This primarily affects flatpak running in a container where D-Bus is generally not available. Fixes: flatpak#5076
Currently if the parental controls check can't connect to the system bus, apps are not allowed to run. However, apps are also allowed to run if the malcontent (or accounts-service) D-Bus services aren't available. Since it's trivial to meet that requirement by starting a temporary dbus-daemon and setting `DBUS_SYSTEM_BUS_ADDRESS` to use it, not being able to access the system bus at all is no less secure. This primarily affects flatpak running in a container where D-Bus is generally not available. Fixes: #5076
Sorry, as mentioned above, I think this should be reopened since I only handled the run process and not the install process that kicked this all off. Now that you merged my simple change, I'm happy to adapt it to be done during install, too. |
Currently if the parental controls check can't connect to the system bus, apps are not allowed to run. However, apps are also allowed to run if the malcontent (or accounts-service) D-Bus services aren't available. Since it's trivial to meet that requirement by starting a temporary dbus-daemon and setting `DBUS_SYSTEM_BUS_ADDRESS` to use it, not being able to access the system bus at all is no less secure. This primarily affects flatpak running in a container where D-Bus is generally not available. Fixes: flatpak#5076 (cherry picked from commit 3afdfd2)
Currently if the parental controls check can't connect to the system bus, apps are not allowed to run. However, apps are also allowed to run if the malcontent (or accounts-service) D-Bus services aren't available. Since it's trivial to meet that requirement by starting a temporary dbus-daemon and setting `DBUS_SYSTEM_BUS_ADDRESS` to use it, not being able to access the system bus at all is no less secure. This primarily affects flatpak running in a container where D-Bus is generally not available. Fixes: flatpak#5076 (cherry picked from commit 3afdfd2)
Currently if the parental controls check can't connect to the system bus, apps are not allowed to run. However, apps are also allowed to run if the malcontent (or accounts-service) D-Bus services aren't available. Since it's trivial to meet that requirement by starting a temporary dbus-daemon and setting `DBUS_SYSTEM_BUS_ADDRESS` to use it, not being able to access the system bus at all is no less secure. This primarily affects flatpak running in a container where D-Bus is generally not available. Fixes: flatpak#5076 (cherry picked from commit 3afdfd2)
Currently if the parental controls check can't connect to the system bus, apps are not allowed to run. However, apps are also allowed to run if the malcontent (or accounts-service) D-Bus services aren't available. Since it's trivial to meet that requirement by starting a temporary dbus-daemon and setting `DBUS_SYSTEM_BUS_ADDRESS` to use it, not being able to access the system bus at all is no less secure. This primarily affects flatpak running in a container where D-Bus is generally not available. Fixes: flatpak#5076 (cherry picked from commit 3afdfd2)
Currently if the parental controls check can't connect to the system bus, apps are not allowed to run. However, apps are also allowed to run if the malcontent (or accounts-service) D-Bus services aren't available. Since it's trivial to meet that requirement by starting a temporary dbus-daemon and setting `DBUS_SYSTEM_BUS_ADDRESS` to use it, not being able to access the system bus at all is no less secure. This primarily affects flatpak running in a container where D-Bus is generally not available. Fixes: flatpak#5076
Checklist
Flatpak version
1.12.7
What Linux distribution are you using?
Ubuntu
Linux distribution version
22.04
What architecture are you using?
x86_64
How to reproduce
running the flatpak app
org.jamovi.jamovi
inside a docker container (either at build, or runtime) produces the error:Could not connect: No such file or directory
. i am the maintainer oforg.jamovi.jamovi
, and don't think the error is related to jamovi itself. the jamovi executable is defined here and i don't think it is ever called.any idea what might be going on here?
Expected Behavior
jamovi will start
Actual Behavior
Could not connect: No such file or directory
Additional Information
is it perhaps related to the finish args? (tbh, i'm not sure which of these are necessary).
oh, i should add, jamovi is an electron application, which i appreciate won't run properly in a docker container (:P), however it has some command line tools which i'm trying to use here ...
The text was updated successfully, but these errors were encountered: