[GH-ISSUE #3023] AppImage doesn't seem to work (ImageMagick) #1895

New issue

Closed

opened 2026-05-05 08:33:52 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented 2026-05-05 08:33:52 -06:00

Owner

Copy link

Originally created by @kravietz on GitHub (Nov 1, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3023

Just trying to run the latest version of ImageMagick which comes as AppImage:

$ firejail --appimage --noprofile ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png 
Mounting appimage type 2
Parent pid 32076, child pid 32079

**     Warning: dropping all Linux capabilities     **
Child process initialized in 30.31 ms
/run/firejail/appimage/.appimage-32076/AppRun: line 25: /run/firejail/appimage/.appimage-32076/usr/bin/: Is a directory
/run/firejail/appimage/.appimage-32076/AppRun: line 25: exec: /run/firejail/appimage/.appimage-32076/usr/bin/: cannot execute: Is a directory

Parent is shutting down, bye...
AppImage unmounted

Originally created by @kravietz on GitHub (Nov 1, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/3023 Just trying to run the latest version of ImageMagick which comes as AppImage: ``` $ firejail --appimage --noprofile ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png Mounting appimage type 2 Parent pid 32076, child pid 32079 ** Warning: dropping all Linux capabilities ** Child process initialized in 30.31 ms /run/firejail/appimage/.appimage-32076/AppRun: line 25: /run/firejail/appimage/.appimage-32076/usr/bin/: Is a directory /run/firejail/appimage/.appimage-32076/AppRun: line 25: exec: /run/firejail/appimage/.appimage-32076/usr/bin/: cannot execute: Is a directory Parent is shutting down, bye... AppImage unmounted ```

gitea-mirror closed this issue 2026-05-05 08:33:52 -06:00

gitea-mirror commented 2026-05-05 08:33:54 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 1, 2019):

It should work with

firejail --noprofile --appimage ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png

Can you confirm?

<!-- gh-comment-id:548844478 --> @rusty-snake commented on GitHub (Nov 1, 2019): It should work with ``` firejail --noprofile --appimage ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png ``` Can you confirm?

gitea-mirror commented 2026-05-05 08:33:56 -06:00

Author

Owner

Copy link

@kravietz commented on GitHub (Nov 1, 2019):

@rusty-snake I can't see any difference in your command line as compared to mine - apart from the order of options? In any case, with your command line I get the same result unfortunately.

$ firejail --noprofile --appimage ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png
Mounting appimage type 2
Parent pid 5511, child pid 5514

**     Warning: dropping all Linux capabilities     **
Child process initialized in 126.15 ms
/run/firejail/appimage/.appimage-5511/AppRun: line 25: /run/firejail/appimage/.appimage-5511/usr/bin/: Is a directory
/run/firejail/appimage/.appimage-5511/AppRun: line 25: exec: /run/firejail/appimage/.appimage-5511/usr/bin/: cannot execute: Is a directory

Parent is shutting down, bye...
AppImage unmounted

With debug:

$ firejail --debug --noprofile --appimage ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png
Autoselecting /bin/bash as shell
Configuring appimage environment
AppImage ELF size 188392
Mounting appimage type 2
appimage mounted on /run/firejail/appimage/.appimage-5900
Building AppImage command line: /run/firejail/appimage/.appimage-5900/AppRun
AppImage quoted command line: '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png' 
Command name #./ImageMagick-a481ea5-clang-x86_64.AppImage#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 5900, child pid 5903
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-LWVkcNJV,guid=c4c2b12742419542177af0e85dbaf68f
IBUS_DAEMON_PID=3130

**     Warning: dropping all Linux capabilities     **
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /var
Mounting noexec /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
6278 6253 0:101 /pulse /home/kravietz/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=6278 fsname=/pulse dir=/home/kravietz/.config/pulse fstype=tmpfs
Current directory: /home/kravietz/Downloads
DISPLAY=:0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
Running '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png' 
Child process initialized in 104.53 ms
monitoring pid 2

/run/firejail/appimage/.appimage-5900/AppRun: line 25: /run/firejail/appimage/.appimage-5900/usr/bin/: Is a directory
/run/firejail/appimage/.appimage-5900/AppRun: line 25: exec: /run/firejail/appimage/.appimage-5900/usr/bin/: cannot execute: Is a directory
Sandbox monitor: waitpid 2 retval 2 status 32256

Parent is shutting down, bye...
AppImage unmounted

<!-- gh-comment-id:548926993 --> @kravietz commented on GitHub (Nov 1, 2019): @rusty-snake I can't see any difference in your command line as compared to mine - apart from the order of options? In any case, with your command line I get the same result unfortunately. ``` $ firejail --noprofile --appimage ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png Mounting appimage type 2 Parent pid 5511, child pid 5514 ** Warning: dropping all Linux capabilities ** Child process initialized in 126.15 ms /run/firejail/appimage/.appimage-5511/AppRun: line 25: /run/firejail/appimage/.appimage-5511/usr/bin/: Is a directory /run/firejail/appimage/.appimage-5511/AppRun: line 25: exec: /run/firejail/appimage/.appimage-5511/usr/bin/: cannot execute: Is a directory Parent is shutting down, bye... AppImage unmounted ``` With debug: ``` $ firejail --debug --noprofile --appimage ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png Autoselecting /bin/bash as shell Configuring appimage environment AppImage ELF size 188392 Mounting appimage type 2 appimage mounted on /run/firejail/appimage/.appimage-5900 Building AppImage command line: /run/firejail/appimage/.appimage-5900/AppRun AppImage quoted command line: '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png' Command name #./ImageMagick-a481ea5-clang-x86_64.AppImage# DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 5900, child pid 5903 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-LWVkcNJV,guid=c4c2b12742419542177af0e85dbaf68f IBUS_DAEMON_PID=3130 ** Warning: dropping all Linux capabilities ** Basic read-only filesystem: Mounting read-only /etc Mounting noexec /etc Mounting read-only /var Mounting noexec /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /lib32 Mounting read-only /libx32 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /lib/modules Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Disable /sys/module Mounting noexec /run/firejail/mnt/pulse 6278 6253 0:101 /pulse /home/kravietz/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=6278 fsname=/pulse dir=/home/kravietz/.config/pulse fstype=tmpfs Current directory: /home/kravietz/Downloads DISPLAY=:0 parsed as 0 Mounting read-only /run/firejail/mnt/seccomp Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1 No supplementary groups starting application LD_PRELOAD=(null) Running '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png' Child process initialized in 104.53 ms monitoring pid 2 /run/firejail/appimage/.appimage-5900/AppRun: line 25: /run/firejail/appimage/.appimage-5900/usr/bin/: Is a directory /run/firejail/appimage/.appimage-5900/AppRun: line 25: exec: /run/firejail/appimage/.appimage-5900/usr/bin/: cannot execute: Is a directory Sandbox monitor: waitpid 2 retval 2 status 32256 Parent is shutting down, bye... AppImage unmounted ```

gitea-mirror commented 2026-05-05 08:33:56 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 1, 2019):

I found a work around: add --rmenv=APPIMAGE.

---

AppRun:

#!/bin/bash 
 
# The purpose of this custom AppRun script is 
# to allow symlinking the AppImage and invoking 
# the corresponding binary depending on which 
# symlink was used to invoke the AppImage 
 
HERE="$(dirname "$(readlink -f "${0}")")" 
 
export MAGICK_HOME="$HERE/usr:$MAGICK_HOME" # https://imagemagick.org/QuickStart.txt 
export MAGICK_CONFIGURE_PATH=$(readlink -f "$HERE/usr/lib/ImageMagick-7.0.7/config-Q16"):$(readlink -f "$HERE/usr/lib/ImageMagick-7.0.7/config-Q16HDRI"):$(readlink -f "$HERE/usr/share/ImageMagick-7"):$(readlink -f "$HERE/usr/etc/ImageMagick-7"):$MAGICK_CONFIGURE_PATH #Wildcards don't work 
 
export LD_LIBRARY_PATH=$(readlink -f "$HERE/usr/lib"):$LD_LIBRARY_PATH 
export LD_LIBRARY_PATH=${HERE}/usr/lib/ImageMagick-7.0.7/modules-Q16HDRI/coders:$LD_LIBRARY_PATH 
 
if [ "$1" == "man" ] ; then 
  export MANPATH="$HERE/usr/share/man:$MANPATH" ; exec "$@" ; exit $? 
elif [ "$1" == "info" ] ; then 
  export INFOPATH="$HERE/usr/share/info:$INFOPATH" ; exec "$@" ; exit $? 
fi 
 
if [ ! -z $APPIMAGE ] ; then 
  BINARY_NAME=$(basename "$ARGV0") 
  if [ -e "$HERE/usr/bin/$BINARY_NAME" ] ; then 
    exec "$HERE/usr/bin/$BINARY_NAME" "$@" 
  else 
    exec "$HERE/usr/bin/magick" "$@" 
  fi 
else 
  exec "$HERE/usr/bin/magick" "$@" 
fi

<!-- gh-comment-id:548951097 --> @rusty-snake commented on GitHub (Nov 1, 2019): I found a work around: add `--rmenv=APPIMAGE`. --- AppRun: ```bash #!/bin/bash # The purpose of this custom AppRun script is # to allow symlinking the AppImage and invoking # the corresponding binary depending on which # symlink was used to invoke the AppImage HERE="$(dirname "$(readlink -f "${0}")")" export MAGICK_HOME="$HERE/usr:$MAGICK_HOME" # https://imagemagick.org/QuickStart.txt export MAGICK_CONFIGURE_PATH=$(readlink -f "$HERE/usr/lib/ImageMagick-7.0.7/config-Q16"):$(readlink -f "$HERE/usr/lib/ImageMagick-7.0.7/config-Q16HDRI"):$(readlink -f "$HERE/usr/share/ImageMagick-7"):$(readlink -f "$HERE/usr/etc/ImageMagick-7"):$MAGICK_CONFIGURE_PATH #Wildcards don't work export LD_LIBRARY_PATH=$(readlink -f "$HERE/usr/lib"):$LD_LIBRARY_PATH export LD_LIBRARY_PATH=${HERE}/usr/lib/ImageMagick-7.0.7/modules-Q16HDRI/coders:$LD_LIBRARY_PATH if [ "$1" == "man" ] ; then export MANPATH="$HERE/usr/share/man:$MANPATH" ; exec "$@" ; exit $? elif [ "$1" == "info" ] ; then export INFOPATH="$HERE/usr/share/info:$INFOPATH" ; exec "$@" ; exit $? fi if [ ! -z $APPIMAGE ] ; then BINARY_NAME=$(basename "$ARGV0") if [ -e "$HERE/usr/bin/$BINARY_NAME" ] ; then exec "$HERE/usr/bin/$BINARY_NAME" "$@" else exec "$HERE/usr/bin/magick" "$@" fi else exec "$HERE/usr/bin/magick" "$@" fi ```

gitea-mirror commented 2026-05-05 08:33:57 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 1, 2019):

I can't see any difference in your command line as compared to mine - apart from the order of options?

--appimage should be the last firejail argumen.

   Start an AppImage program:

         firejail [OPTIONS] --appimage [appimage-file and arguments]

<!-- gh-comment-id:548951865 --> @rusty-snake commented on GitHub (Nov 1, 2019): > I can't see any difference in your command line as compared to mine - apart from the order of options? `--appimage` should be the last firejail argumen. > Start an AppImage program: > > firejail [OPTIONS] --appimage [appimage-file and arguments]

gitea-mirror commented 2026-05-05 08:33:58 -06:00

Author

Owner

Copy link

@kravietz commented on GitHub (Nov 12, 2019):

@rusty-snake Yeah, this solves the problem! Not sure if you want to close the ticket now, or improve on the firejail side but that's a working solution.

<!-- gh-comment-id:552911974 --> @kravietz commented on GitHub (Nov 12, 2019): @rusty-snake Yeah, this solves the problem! Not sure if you want to close the ticket now, or improve on the `firejail` side but that's a working solution.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1895

No description provided.