| View previous topic :: View next topic |
| Author |
Message |
Rockman8
n00b
Joined: 19 Sep 2023
Posts: 35
|
 Posted: Sat Oct 26, 2024 3:39 pm Post subject: (openRC) steam-launch: non-privileged userspaces |
 |
|
Tried to run steam-launch with chroot and run into this
| Code: | | steam-runtime-check-requirements[4810]: W: Child process exited with code 1: bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'. |
Current kernel 6.6.52 won't allow
| Code: | sysctl kernel.unprivileged_userns_clone=1
sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory |
User namespaces is set to a high value
| Code: | sysctl user.max_user_namespaces
user.max_user_namespaces = 63492 |
No suid
| Code: | sys-apps/bubblewrap-0.10.0::gentoo was built with the following:
USE="(-selinux) -suid" ABI_X86="(64)" |
I'm running openRC and perhaps this should be dealt with
| Code: | # chroot, substitute user, and start steam
if [[ -n $( cat /proc/1/comm |grep systemd ) ]]; then
"${chroot_arch}" unshare -m chroot "${chroot_dir}" su -c 'steam' steam
else
"${chroot_arch}" chroot "${chroot_dir}" su -c 'steam' steam
fi |
https://wiki.gentoo.org/wiki/Steam#Chroot
But running any of these options, plain chroot, unshare or as steam user resulted in
| Code: | | steam.sh[6670]: Error: Steam now requires user namespaces to be enabled. |
User id -u (steam) matches my local_user (outside chroot non-root user) both are the same UID
Any ideas of what am I missing?
Last edited by Rockman8 on Sat Oct 26, 2024 4:59 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22570
|
| Posted: Sat Oct 26, 2024 4:16 pm Post subject: |
|
|
The kernel disallows creating a user namespace while in a chroot: | kernel/user_namespace.c: |
/*
* Verify that we can not violate the policy of which files
* may be accessed that is specified by the root directory,
* by verifying that the root directory is at the root of the
* mount namespace which allows all files to be accessed.
*/
ret = -EPERM;
if (current_chrooted())
goto fail_dec; |
That Wiki fragment has a Useless Use of Cat. Additionally, when using unshare, it can set the root directory on its own, without needing to run the program chroot.
More generally, that script looks rather confused. I don't see why it even uses unshare -m, but if it assumes the availability of mount namespaces, then it ought to use those to handle cleaning out the bind mounts at the end, rather than relying on an explicit set of umount calls. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Gamers & Players
