VMware vSphere

Lo,

I fully expect Broadcom won't fix this... and it seems unlikely I'll be able to convince the VMware Premier partner (that we take white labelled VCSP licenses from at my workplace) that I work with to take this seriously enough to pass this on to Broadcom.

BUT!  For any Linux desktop users that use the UI installer for vCentre (where you mount the VCSA ISO file first, e.g. using your file manager) and then browse to a directory like this...

/media/user/VMware VCSA/vcsa-ui-installer/lin64/

And found that double clicking either... 'installer', 'installer-linux.desktop', or 'installer-linux' (which is the same file as 'installer-linux.desktop') seems to do ABSOLUTELY NOTHING :)

Then try running it in a terminal and see if you get a similar error to this...

user@mypc:/media/username/VMware VCSA/vcsa-ui-installer/lin64$ ./installer
[533320:1124/152431.357823:FATAL:sandbox/linux/suid/client/setuid_sandbox_host.cc:169] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /media/stevenm/VMware VCSA/vcsa-ui-installer/lin64/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)

If you do... then your distro (e.g. Ubuntu 24.04, likely others too) is enforcing AppArmor and many Electron apps (like this one) don't have a special profile to allow it to work.

You COULD (but probably shouldn't... keep reading why not)...

1. Write a simple AppArmor profile and save it as /etc/apparmor.d/vcsa-ui-installer.  The easiest way to do this would be to duplicate an existing profile (from that same directory) meant for another Electrum based app (like Discord, element-desktop, signal-desktop, etc...) but replace mentions of those with vcsa-ui-installer within the file.  However the path would have to be something like this "/media/{,*/}VMware VCSA/vcsa-ui-installer/lin64/installer" (including the quotes).
2. Run sudo apparmor_parser -r /etc/apparmor.d/vcsa-ui-installer 
3. Then you should find you can double click it like normal and it'll work

But you shouldn't... since anyone (who uses that desktop computer) could mount a volume called 'VMware VCSA' (which doesn't have to be that ISO file) and put any old binary at that same location :P

So the REAL issue... is that the 'installer-linux.desktop' file (which is just a text file)... has this particular line...

Exec=sh -e -c "exec \\"\\$(dirname \\"\\$0\\")/installer\\"" %k

If it said this then everything would work fine...

Exec=sh -e -c "exec \\"\\$(dirname \\"\\$0\\")/installer\\" --no-sandbox" %k

But since this is a mounted ISO you can't edit it :P  But the solution is here if anyone at Broadcom who cares about Linux might want to fix it for future ISO files.

In the mean time... anyone needing a workaround should just get to a terminal, change to that directory and run it like this...

user@mypc:~$
user@mypc:~$ cd "/media/user/VMware VCSA/vcsa-ui-installer/lin64"
user@mypc:/media/user/VMware VCSA/vcsa-ui-installer/lin64$ ./installer --no-sandbox

-------------------------------------------

I've hit the same issue on a couple of Linux desktops and what you've described is exactly what's happening: recent distros enforce AppArmor and the Electron sandbox refuses to start when the installer is launched from a mounted ISO. Nothing appears on screen, no logs, no crash dialog. It just silently dies because the bundled Chrome-sandbox binary can't run.

The simplest and most reliable workaround I've found is the same you mentioned: open a terminal inside the lin64 folder and run the installer manually with the sandbox disabled. That avoids the sandbox check entirely and the UI launches without problems. For me the command below works consistently on Ubuntu 24.04 and Fedora:

./installer --no-sandbox

There's no functional difference once the UI starts; the installer behaves normally and deploys the VCSA without further errors. I agree that editing the desktop file or creating an AppArmor profile isn't really worth it, especially when the ISO gets mounted read-only and the path changes every time depending on the system's automount rules.

Given that this impacts most modern Electron apps under strict AppArmor policies, the root cause is clear enough and reproducible. At this point it probably needs to be addressed upstream by Broadcom so the launcher calls the binary with the correct flags or bundles a sandbox helper that passes the capability checks.

Until they fix it, launching from terminal with --no-sandbox is the only method that works reliably.