Tangram won't work properly due to bwrap issues

[akiross]

Describe the bug

After starting a nix shell with Tangram, I'm able to run it, but it won't work properly: bwrap will error and no pages will be loaded. Please note that the application does start, but when an URL is inserted, an error is written on the console and it will not proceed loading the page; the canvas remains empty instead of loading a page. The error is the following:

bwrap: Can't mkdir parents for /run/current-system/sw/share/fonts: No such file or directory

Steps To Reproduce

Steps to reproduce the behavior:

1. nix shell nixpkgs#tangram
2. re.sonny.Tangram
3. in the address bar go to e.g. github.com
4. the error appears on the terminal log

Expected behavior

Pages are loaded, no bwrap error is printed.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Using flatpak, tangram works as expected.

Notify maintainers

@austinbutler

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.74, NixOS, 22.05 (Quokka), 22.05.20221020.44fc3cb`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.9.1`
 - channels(root): `"nixos-22.05"`
 - channels(akiross): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

I'm using flakes and this is the flake.lock for my nixos configuration, hoping it helps

$ cat /etc/nixos/flake.lock
{
  "nodes": {
    "nixos-hardware": {
      "locked": {
        "lastModified": 1665987993,
        "narHash": "sha256-MvlaIYTRiqefG4dzI5p6vVCfl+9V8A1cPniUjcn6Ngc=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
        "rev": "0e6593630071440eb89cd97a52921497482b22c6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1666249138,
        "narHash": "sha256-CzK8NA8xEMKAhvHXB8UMODckcH97sZXm6lziKNWLv0M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "44fc3cb097324c9f9f93313dd3f103e78d722968",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-22.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
}

[austinbutler]

I should probably just mark Tangram as broken... My understanding is that it uses Epiphany, and Epiphany has been broken (at least for me) for some time. I get the same No such file or directory error when running Epiphany itself as you are reporting now. Does epiphany work for you @akiross?

[austinbutler]

See also #169201.

That's still unresolved for me on Linux 6.0.2, NixOS, 22.11 (Raccoon), 22.11pre418904.db25c4da285. @jtojnar do you know of any in-progress work to address this?

[akiross]

Ah, I wasn't aware of that! And yes, epiphany is broken for me as well.

[flintflump]

epiphany is broken for me, too. The bug seems to also affect evolution right now on nixos-unstable, since the message preview pane stopped working a few days ago. "WebKitWebProcess crashed" and journalctl logs the bwrap error message.

[iwanb]

It seems to be triggered by this change in webkitgtk (in 2.38.0): WebKit/WebKit@31ac354

which means, along with this nixos patch:

https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch

bubblewrap gets called this way:

$ bwrap --ro-bind /nix/store /nix/store --ro-bind /run/current-system /run/current-system --ro-bind-try /run/current-system/sw/share/fonts /run/current-system/sw/share/fonts -- $(realpath $(which true))
bwrap: Can't mkdir parents for /run/current-system/sw/share/fonts: No such file or directory

which does not work AFAIK because /run/current-system/sw is a symlink.

Not sure what would be the best fix, maybe the --ro-bind /run/current-system /run/current-system bind mount could be removed if all use cases are handled in webkit itself?

Or maybe we can patch this as well (which was added to fix similar problems: WebKit/WebKit@6a87eb2):
https://github.com/WebKit/WebKit/blob/wpewebkit-2.38.2/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp#L199

Changing the condition to this would do the trick I think:

   if (!g_str_has_prefix(path, "/etc/") && !g_str_has_prefix(path, "/run/current-system/"))
        args.appendVector(Vector<CString>({ bindType, path, path }));

@jtojnar

[jtojnar]

@iwanb thanks for the investigation. Unfortunately, 84fb39e does not really say why it was introduced so it is hard to tell if all use cases are handled. In addition to the fonts, I am aware of Pipewire Jack module in /run/current-system/sw/lib.

Maybe the simplest work around would be moving the /run/current-system bind after the XDG_DATA_DIRS one:

bwrap --ro-bind /nix/store /nix/store --ro-bind-try /run/current-system/sw/share/X11/fonts /run/current-system/sw/share/X11/fonts --ro-bind /run/current-system /run/current-system -- $(readlink $(which ls)) -l /run/current-system/

I would say this is really an issue with WebKitGTK – the same issue will likely happen on other systems if they use a symlink e.g. for /usr/share.

https://github.com/WebKit/WebKit/blob/31ac354cbeecf866f9a38f7b2f8f59f7975d3f6a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp#L662

Edit: Looks like there is also an open issue for bubblewrap containers/bubblewrap#390

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/webkitgtk-evolution-and-bubblewrap/23242/1

[jtojnar]

I have opened #201219, testing would be appreciated.