Application does not run on Ubuntu 24

[nikku]

Describe the bug

I try to run the latest Camunda Modeler distribution from the command line on Ubuntu 24.04, and get the error below:

$ ./camunda-modeler
[46193:1114/170934.837319:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that [...]/camunda-modeler-5.29.0-linux-x64/chrome-sandbox is owned by root and has mode 4755.
zsh: trace trap (core dumped)  ./camunda-modeler

Steps to reproduce

1. download recent modeler (Linux)
2. run the executable (in any way, i.e. via double click or commandline)
3. see it does not start

Expected behavior

I can start the app on Ubuntu 24+.

Environment

• OS: Ubuntu 24.04
• Camunda Modeler Version: v5.29.0
• Execution Platform: Any
• Installed plug-ins: None

Additional context

This happens because modern Linux distributions (Ubuntu 23+, Debian 12+) enforce restrictions on unprivilaged user namespaces, a feature that Electron (and thus Camunda Modeler) uses as a security measurement.

We recommend you to create an AppArmor profile to allow the app to use the user namespaces feature. Alternative resolutions including a non-root option exist.

---

More details can be found in the upstream issue.

[nikku]

Upstream electron issue: electron/electron#42510

[nikku]

Resolution options:

• Users need to manually adjust their config post download, i.e. do this:

  You need to make sure that [.]/chrome-sandbox is owned by root and has mode 4755.
  

• Users need to create an apparmor profile (Application does not run on Ubuntu 24 #4695 (comment))
• We provide an installer that does the change automatically
• We spin up the application with --no-sandbox (Need a way to run with --no-sandbox by default electron/electron#18265 (comment)), with recent electron versions you must explicitly wrap the application binary to inject the argument (Application does not run on Ubuntu 24 #4695 (comment)), appending the switch within the app no longer works.

[nikku]

Another creative fix by the creators of Jitsi Meet - jitsi/jitsi-meet-electron@4cc851d#diff-423e46c9c92d87429736867be8c57c7e2daa8467b9f1940223a80927b401391aR5. They do take the route to start the application with --no-sandbox.

[nikku]

Give the electron exectutable (used during local development) access to the userns sandboxing feature, through an AppArmor profile:

1. Create an apparmor profile, i.e. in /etc/apparmor.d/electron:

   abi <abi/4.0>,
   include <tunables/global>
   
   profile electron /@{HOME}/**/node_modules/electron/dist/electron flags=(unconfined) {
     userns,
   
     include if exists <local/electron>
   }
   

2. Reload the apparmor service:

   sudo systemctl reload apparmor.service
   

[nikku]

Give the camunda-modeler executable permissions to the userns sandboxing feature, through an AppArmor profile:

1. Create an apparmor profile, i.e. in /etc/apparmor.d/camunda-modeler:

   abi <abi/4.0>,
   include <tunables/global>
   
   profile camunda-modeler /@{HOME}/path-to-camunda-modeler-executable flags=(unconfined) {
     userns,
   
     include if exists <local/camunda-modeler>
   }
   

2. Ensure you replaced /@{HOME}/path-to-camunda-modeler-executable with the actual path to the Camunda Modeler executable.

3. Reload the apparmor service:

   sudo systemctl reload apparmor.service
   

---

Turn to other resolution options if you don't have the necessary permissions to create such profile on your machine.

[nikku]

I propose that we follow the documentation route, backed by this: #4695 (comment).

[nikku]

Resolutions

Sandboxing is a security concern used by the modeler, and restrictions to it enforced by modern Linux distributions, including Ubuntu 24, require you, the user, to get active.

To address this issue, you have to either allow the modeler to use sandboxing or disable the sandbox all together (not recommended).

Create AppArmor profile (recommended)

Tip

This change will persist across modeler updates, but requires root permissions to execute.

Add an apparmor profile to allow userns usage for the camunda-modeler executable (#4695 (comment)).

Fix permissions of chrome-sandbox

Note

This change will NOT persist across modeler updates, and requires root permissions to execute.

The alternative is that you change the permissions of the chrome-sandbox, shipped with the Desktop Modeler distribution:

cd camunda-modeler
sudo chown root chrome-sandbox
sudo chmod 4755 chrome-sandbox

Dangerous workaround

Caution

This disables built-in security mechanisms, use at your own risk. Non-root option.

Start the modeler via the --no-sandbox flag, i.e. from the command line:

path-to-modeler/camunda-modeler --no-sandbox

[nikku]

Linked to troubleshooting guide via camunda/camunda-docs#4607.

[nikku]

Solved through additional documentation via camunda/camunda-docs#4607.