ralismark / nix-appimage Goto Github PK
View Code? Open in Web Editor NEWConvert a nixos derivation into a self-contained binary
License: MIT License
Convert a nixos derivation into a self-contained binary
License: MIT License
My native unshare
works:
$ unshare -U echo hi
hi
$ echo $?
0
But the AppImage doesn't:
$ ./bundle util-linux /bin/unshare
$ ./unshare-x86_64.AppImage -U echo hi
unshare-x86_64.AppImage: unshare failed: Operation not permitted
$ echo $?
1
I believe this is the reason Steam, Chromium, and Electron apps don't work:
$ ./steam-x86_64.AppImage
bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.
$ ./ungoogled-chromium-122.0.6261.69-x86_64.AppImage
[52161:52161:0226/172919.336302:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /nix/store/zamhhinmqjvvxj1ipfijvrpqs85q3rc0-ungoogled-chromium-122.0.6261.69-sandbox/bin/__chromium-suid-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)
$ ./bitwarden-2024.2.0-x86_64.AppImage
[60941:0226/173049.236563:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /nix/store/9zw7gk36f07lnn6y60ksd2s063q46ri1-electron-28.2.2/libexec/electron/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)
This article suggests that this is not a fundamental limitation of the AppImage format; assuming unprivileged user namespaces are enabled in the kernel, Electron AppImages can be run without disabling their sandbox.
This looks very promising. Have been looking for ages for a solution to generate working for generating appimage applications for OpenGL applications. nix-bundle
has issues with it all attempts to find a workaround (documented in that thread and related PRs) have failed for me.
This project, due to it's ability to not bring glibc, looks promising. However since it doesn't include a desktop file, maybe it is not intended to fix the OpenGL issue? Is this supported or part of the road-map?
This is not a problem but I wanted to say that you had a great idea.
Right now I have some time and connection restrictions but if I can I would like to be able to try your script.
I am a fan of live minimal distros with portable packages (like alpine or tinycore) however it would be great to be able to build the distro packages from the nix repository.
How would I go about bundling a derivation that I've written? I've tried the obvious nix bundle --bundler github:ralismark/nix-appimage -f default.nix
, but that doesn't seem to work.
Hello, i used nix-appimage in the past and it was a joy! However i'm now failing when trying to build a weasyprint appimage. Here's the output:
$ nix bundle --bundler github:ralismark/nix-appimage nixpkgs#python311Packages.weasyprint
error:
… while calling the 'derivationStrict' builtin
at //builtin/derivation.nix:9:12: (source not available)
… while evaluating derivation 'python3.11-weasyprint-59.0-x86_64.AppImage'
whose name attribute is located at /nix/store/d5c6h5p16jg2rna7db5y4s3y19dmwvx6-source/pkgs/stdenv/generic/make-derivation.nix:278:7
… while evaluating attribute 'buildCommand' of derivation 'python3.11-weasyprint-59.0-x86_64.AppImage'
at /nix/store/d5c6h5p16jg2rna7db5y4s3y19dmwvx6-source/pkgs/build-support/trivial-builders.nix:73:14:
72| stdenv.mkDerivation ({
73| inherit buildCommand name;
| ^
74| passAsFile = [ "buildCommand" ]
error: main program /nix/store/1z9djg8r09lfpri1mlzf2cbqi8hsmr19-python3.11-weasyprint-59.0/bin/python3.11-weasyprint does not exist
I guess it's because the executable is called weasyprint
and not python3.11-weasyprint
. I think it's related to #3. Alternatively, is there something to fix on the package itself to make that possible?
EDIT: Manually creating a symlink in the nix store (yes that's evil!) made it work. I'll use that workaround for the moment but it's not elegant ;)
Thoughts on making this available in the default bundlers repo? I'm looking to improve the quality and availability of bundlers that can be easily discovered.
If running normally, it isn't able to check reliably if the binary entry point from meta.mainProgram
exists because of sandbox I guess.
How to reproduce:
nix bundle --bundler github:ralismark/nix-appimage github:lucasew/nixcfg#pkgs.wineApps.wine7zip # error: main program /nix/store/rdqaabzrxja4ib8nimxrwjn7zx65aj5d-7zip/bin/7zip does not exist
nix bundle --bundler github:ralismark/nix-appimage github:lucasew/nixcfg#pkgs.wineApps.wine7zip --impure # * works *
See #2. Ideally something like ./nix-bundle.sh
from https://github.com/matthewbauer/nix-bundle/
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.