cross-posted from: https://feddit.org/post/30198502
System:
Debian 13 KDE (actually MX Linux, but doesn't seem to matter) Wayland (xwayland installed as well) Docker 29.5.2Dockerfile:
FROM debian:trixie ENV DEBIAN_FRONTEND=noninteractive ENV LANG=en_US.UTF-8 ENV LANGUAGE=en_US:en ENV LC_ALL=en_US.UTF-8 # Set locale RUN apt-get update && apt-get install -y --no-install-recommends \ locales && \ apt-get clean && \ sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \ locale-gen # Install Wayland-specific packages RUN apt-get update && apt-get install -y --no-install-recommends \ dbus \ libwayland-client0 \ libwayland-egl1 && \ apt-get clean # Install X-specific packages RUN apt-get update && apt-get install -y --no-install-recommends \ dbus-x11 && \ apt-get clean # Add contrib, default is only main RUN sed -i 's/^Components:.*/Components: main contrib/g' /etc/apt/sources.list.d/debian.sources # Add 32-bit arch for Steam libraries RUN dpkg --add-architecture i386 # Install Steam RUN apt-get update && apt-get install -y --no-install-recommends \ steam-installer \ pciutils && \ apt-get clean # Additional # TODO: What is really needed? RUN apt-get update && apt-get install -y --no-install-recommends \ vulkan-tools \ mesa-utils \ x11-xserver-utils \ libvulkan1 \ mesa-vulkan-drivers && \ apt-get clean # TODO: Does `-storebeta` even work? # https://developer.valvesoftware.com/wiki/Command_line_options_(Steam) CMD ["/usr/games/steam", "-storebeta"]To run the container:
xhost + sudo docker run -it --name steam \ -e XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR \ -e WAYLAND_DISPLAY=$WAYLAND_DISPLAY \ -v $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY \ -e DISPLAY=$DISPLAY \ -v /tmp/.X11-unix:/tmp/.X11-unix \ --privileged steam:trixie(The
--privilegedpart is only temporary until I found out which capabilities are actually needed. Please don’t run your containers with--privileged.)I get the GUI dialogs to download Steam just fine, so at least some display forwarding is working:
The installation works fine, but when starting Steam it seems like it’s not able to find Vulkan devices and then doesn’t open any Steam window. (The container is not stopping and I’m seeing repeated ./steamwebhelper output after this.)
[...] Running query: 1 - GpuTopology CVulkanTopology: failed create vulkan instance: -9 CVulkanTopology: failed to create vulkan instanceFailed to query vulkan gpu topology Failed to query vulkan gpu topology Response: Exit code: -2 [...] Vulkan missing requested extension 'VK_KHR_surface'. Vulkan missing requested extension 'VK_KHR_xlib_surface'. BInit - Unable to initialize Vulkan! [...]However, Vulkan is clearly working fine in the container, as this commands displays the cube rendering just fine:
$ sudo docker exec -it steam vkcube Selected WSI platform: xcb Selected GPU 0: AMD Radeon RX 550 / 550 Series (RADV POLARIS12), type: DiscreteGpu(I’ve also tried it on another (pure) Debian machine with a 2080Ti, but I’ve got the same issue.)
I’ve created other GUI containers in the past (Firefox for example) and didn’t have these problems.
Does anybody have an idea and can point me in the right direction?
You must log in or # to comment.
Why are you doing this?
So proprietary software doesn’t have access to my filesystem. I am also restricting my Flathub usage to verified apps and Steam unfortunately isn’t one. And yesterday I learned Snaps don’t support strict confinement under Debian.
And you would rather use snaps rather than an unverified flatpak?
A
strictly confined Snap by the original software authors? For sure. The available Snap on Snapcraft.io is by Canonical though, but that’d be fine as well, if I can not get my own solution to work. I’m just a bit puzzled that apparmor on Debian apparently simply doesn’t allow for strictly confined Snaps.
you’re not passing dri and render128 to docker, how is this supposed to work? as X client?
to anyone else looking for a bit better security wrt gaming, you can limit home folder exposure to wine with
winetricks sandbox(eliminates links to anything but c: inside the prefix) andfirejail --net=noneas command prefix, to disable network access. the latter obv doesn’t work with flatpak lutris/heroic/steam.https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities
The --privileged flag gives all capabilities to the container. When the operator executes docker run --privileged, Docker enables access to all devices on the host, and reconfigures AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host.
A manual
--device /dev/drishould not be necessary. I’ll make sure to test it nevertheless.
Since you mentioned that your goal is to restrict its access to your filesystem, I’m gonna suggest using MAC instead.
You’re on Debian, so you should have AppArmor installed. It’s a PITA to configure for GUI software, but I wouldn’t call it unmanageable.
I’d probably give it access to everything outside of
$HOME(/usr/bin/and the likes should beixthough, notux), the game library itself and its own directories in$HOME/.local/share/,$HOME/.config/and$HOME/.cache/(I don’t have a Linux machine with Steam installed atm, can’t guide you any further than that). Most likely, it’ll also want to read$HOME/.local/share/fonts/.if you figure out how to get this working i would be v grateful if you told me how
Ooh this is very interesting and dare I say necessary.
Do you have more logs? Also have you considered trying this using some other distro and/or podman?
My approach would be to try getting this working bare metal and then slowly containerise it