In-place release upgrade to Whonix 17.2.3.7 seems to have broken my flatpaks

Support
1

Whonix workstation- virtualbox version

I upgraded my packages via the software manager. There were a lot of packages to install. I assume that was due to the Whonix 17.2.3.7 upgrade.

When I restarted Whonix later, I discovered that my flatpaks were not working. I do not have many, but I have Freetube and Flatseal.

For Freetube, I was not able to run the program either normally or with root permissions. For Flatseal, I was not able to run the program normally, but I was able to run Flatseal as the root user.

Freetube terminal output-

Type: "whonix" <enter> for help.
user@host:~$ flatpak run io.freetubeapp.FreeTube
bwrap: No permissions to create new namespace, likely because the kernel does not allow non-privileged user namespaces. See <https://deb.li/bubblewrap> or <file:///usr/share/doc/bubblewrap/README.Debian.gz>.
error: Failed to sync with dbus proxy
user@host:~$ sudo flatpak run io.freetubeapp.FreeTube
[sudo] password for user:                                                             
error: "flatpak run" is not intended to be run as `sudo flatpak run`. Use `sudo -i` or `su -l` instead and invoke "flatpak run" from inside the new shell.
user@host:~$ sudo -i
root@host:~# flatpak run io.freetubeapp.FreeTube
[2 zypak-helper] Failed to connect to session bus: [org.freedesktop.DBus.Error.Spawn.ExecFailed] /usr/bin/dbus-launch terminated abnormally without any error message
[2 zypak-helper] src/helper/main.cc:42(DetermineZygoteStrategy): Assertion failed: bus
root@host:~#

Flatseal terminal output-

Type: "whonix" <enter> for help.
user@host:~$ flatpak run com.github.tchx84.Flatseal
bwrap: No permissions to create new namespace, likely because the kernel does not allow non-privileged user namespaces. See <https://deb.li/bubblewrap> or <file:///usr/share/doc/bubblewrap/README.Debian.gz>.
error: ldconfig failed, exit status 256
user@host:~$ sudo -i
[sudo] password for user:                                                             
root@host:~# flatpak run com.github.tchx84.Flatseal
libEGL warning: DRI3: Screen seems not DRI3 capable
libEGL warning: DRI2: failed to authenticate
libEGL warning: DRI3: Screen seems not DRI3 capable
MESA: error: ZINK: failed to choose pdev
libEGL warning: egl: failed to create dri2 screen
root@host:~#

Please let me know what I need to do to fix the problem.

Also, should I install some sort of backup software like Timeshift (Guide to Backup and Restore Linux Systems with Timeshift) in order to avoid issues like this in the future? That way, if an update breaks my system, I can go back to the previous configuration. Or is there another way that I should be doing this within Whonix?

Thank you for your help.

2

For now, I have found a workaround. I installed the appimage of FreeTube instead of the Flatpak. I can run it with


./freetube_0.21.3_amd64.AppImage --no-sandbox

And I can look up my settings from the flatpak version in /home/user/.var/app/io.freetubeapp.FreeTube

So for now things are okay. Do you recommend making timeshift backups in the future, in order to prevent something like this from breaking my stuff?

3

Not sure yet what we will do about this.

Some references:

//cc @raja

Doesn’t work → try sudo is a bad idea. See: Inappropriate Use of Root Rights

4

as a workaround, add flathub repo with --user and install whatever software with --user as well, this will not have conflict/interact with privileges.

5

Thank you for your help. The references are very informative.

Installing FreeTube as user instead of system does not appear to work either.

user@host:~$ flatpak install io.freetubeapp.FreeTube
Looking for matches…
Remotes found with refs similar to ‘io.freetubeapp.FreeTube’:

   1) ‘flathub’ (system)
   2) ‘flathub’ (user)

Which do you want to use (0 to abort)? [0-2]: 2
Required runtime for io.freetubeapp.FreeTube/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/23.08) found in remote flathub
Do you want to install it? [Y/n]: y

io.freetubeapp.FreeTube permissions:
    ipc                   network               pulseaudio              x11       dri
    file access [1]       dbus access [2]       bus ownership [3]

    [1] xdg-download
    [2] org.freedesktop.PowerManagement, org.freedesktop.ScreenSaver, org.gnome.SessionManager,
        org.gnome.SettingsDaemon
    [3] org.mpris.MediaPlayer2.chromium.*, org.mpris.MediaPlayer2.freetube


        ID                                      Branch          Op     Remote      Download
 1. [✓] org.freedesktop.Platform.GL.default     23.08           i      flathub       163.6 MB / 163.8 MB
 2. [✓] org.freedesktop.Platform.GL.default     23.08-extra     i      flathub        22.6 MB / 163.8 MB
        ID                                      Branch          Op     Remote      Download
 1. [✓] org.freedesktop.Platform.GL.default     23.08           i      flathub     163.6 MB / 163.8 MB
 2. [✓] org.freedesktop.Platform.GL.default     23.08-extra     i      flathub      22.6 MB / 163.8 MB
 3. [✓] org.freedesktop.Platform.Locale         23.08           i      flathub     198.5 MB / 371.6 MB
 4. [✗] org.freedesktop.Platform.openh264       2.2.0           i      flathub       1.2 MB / 944.3 kB
 5. [✓] org.gtk.Gtk3theme.Arc-Dark              3.22            i      flathub     112.3 kB / 108.8 kB
 6. [✓] org.freedesktop.Platform                23.08           i      flathub     212.7 MB / 230.9 MB
        ID                                      Branch          Op     Remote      Download
 1. [✓] org.freedesktop.Platform.GL.default     23.08           i      flathub     163.6 MB / 163.8 MB
 2. [✓] org.freedesktop.Platform.GL.default     23.08-extra     i      flathub      22.6 MB / 163.8 MB
 3. [✓] org.freedesktop.Platform.Locale         23.08           i      flathub     198.5 MB / 371.6 MB
 4. [✗] org.freedesktop.Platform.openh264       2.2.0           i      flathub       1.2 MB / 944.3 kB
 5. [✓] org.gtk.Gtk3theme.Arc-Dark              3.22            i      flathub     112.3 kB / 108.8 kB
 6. [✓] org.freedesktop.Platform                23.08           i      flathub     212.7 MB / 230.9 MB
 7. [✓] io.freetubeapp.FreeTube                 stable          i      flathub     119.1 MB / 114.8 MB

Warning: While trying to apply extra data: apply_extra script failed, exit status 256
Installation complete.
user@host:~$ flatpak install io.freetubeapp.FreeTube
Looking for matches…
Remotes found with refs similar to ‘io.freetubeapp.FreeTube’:

   1) ‘flathub’ (system)
   2) ‘flathub’ (user)

Which do you want to use (0 to abort)? [0-2]: 2
Skipping: io.freetubeapp.FreeTube/x86_64/stable is already installed
user@host:~$ flatpak install org.freedesktop.Platform.openh264
Looking for matches…
Remotes found with refs similar to ‘org.freedesktop.Platform.openh264’:

   1) ‘flathub’ (system)
   2) ‘flathub’ (user)

Which do you want to use (0 to abort)? [0-2]: 2
Similar refs found for ‘org.freedesktop.Platform.openh264’ in remote ‘flathub’ (user):

   1) runtime/org.freedesktop.Platform.openh264/x86_64/2.2.0
   2) runtime/org.freedesktop.Platform.openh264/x86_64/2.0
   3) runtime/org.freedesktop.Platform.openh264/x86_64/19.08
   4) runtime/org.freedesktop.Platform.openh264/x86_64/2.4.1
   5) runtime/org.freedesktop.Platform.openh264/x86_64/2.3.0
   6) runtime/org.freedesktop.Platform.openh264/x86_64/2.3.1

Which do you want to use (0 to abort)? [0-6]: 1


        ID                                      Branch       Op       Remote       Download
 1. [/] org.freedesktop.Platform.openh264       2.2.0        i        flathub      614.6 kB / 944.3 kB

        ID                                      Branch       Op       Remote       Download
 1. [✗] org.freedesktop.Platform.openh264       2.2.0        i        flathub      614.6 kB / 944.3 kB

Error: While trying to apply extra data: apply_extra script failed, exit status 256
error: Failed to install org.freedesktop.Platform.openh264: While trying to apply extra data: apply_extra script failed, exit status 256
user@host:~$ flatpak run io.freetubeapp.FreeTube
bwrap: No permissions to create new namespace, likely because the kernel does not allow non-privileged user namespaces. See <https://deb.li/bubblewrap> or <file:///usr/share/doc/bubblewrap/README.Debian.gz>.
error: ldconfig failed, exit status 256
user@host:~$ flatpak --user run io.freetubeapp.FreeTube
bwrap: No permissions to create new namespace, likely because the kernel does not allow non-privileged user namespaces. See <https://deb.li/bubblewrap> or <file:///usr/share/doc/bubblewrap/README.Debian.gz>.
error: ldconfig failed, exit status 256
user@host:~$ flatpak list
Name               Application ID                     Version                  Branch      Installation
FreeTube           io.freetubeapp.FreeTube            0.21.3 Beta              stable      user
Freedesktop Platf… org.freedesktop.Platform           freedesktop-sdk-23.08.23 23.08       user
Mesa               …g.freedesktop.Platform.GL.default 24.2.3                   23.08       user
Mesa (Extra)       …g.freedesktop.Platform.GL.default 24.2.3                   23.08-extra user
Arc-Dark Gtk theme org.gtk.Gtk3theme.Arc-Dark                                  3.22        user
user@host:~$

Of course, if flatpaks are incompatible with the hardening that you do to the system, you do not have to support them if you do not want to. There are other methods of software distribution.

Thank you for all the work that you do.

6

The behavior confirmed on fresh kicksecure install.

Thank you for the report :rose:

7

Try the same as mentioned in this very forum post: Can not run flatpak apps after Kicksecure update - #7 by Patrick - Support - Kicksecure Forums

This has nothing to do with --user or not most likely.

8

A workaround has been tested :

9

Kicksecure issue.

(Whonix is based on Kicksecure.)

Follow along here:

Closing to avoid duplication.