View previous topic :: View next topic |
Author |
Message |
Rockman8 n00b
Joined: 19 Sep 2023 Posts: 38
|
Posted: Sat Oct 26, 2024 3:39 pm Post subject: (openRC) steam-launch: non-privileged userspaces |
|
|
Tried to run steam-launch with chroot and run into this
Code: | steam-runtime-check-requirements[4810]: W: Child process exited with code 1: bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'. |
Current kernel 6.6.52 won't allow
Code: | sysctl kernel.unprivileged_userns_clone=1
sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory |
User namespaces is set to a high value
Code: | sysctl user.max_user_namespaces
user.max_user_namespaces = 63492 |
No suid
Code: | sys-apps/bubblewrap-0.10.0::gentoo was built with the following:
USE="(-selinux) -suid" ABI_X86="(64)" |
I'm running openRC and perhaps this should be dealt with
Code: | # chroot, substitute user, and start steam
if [[ -n $( cat /proc/1/comm |grep systemd ) ]]; then
"${chroot_arch}" unshare -m chroot "${chroot_dir}" su -c 'steam' steam
else
"${chroot_arch}" chroot "${chroot_dir}" su -c 'steam' steam
fi |
https://wiki.gentoo.org/wiki/Steam#Chroot
But running any of these options, plain chroot, unshare or as steam user resulted in
Code: | steam.sh[6670]: Error: Steam now requires user namespaces to be enabled. |
User id -u (steam) matches my local_user (outside chroot non-root user) both are the same UID
Any ideas of what am I missing?
Last edited by Rockman8 on Sat Oct 26, 2024 4:59 pm; edited 1 time in total |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22905
|
Posted: Sat Oct 26, 2024 4:16 pm Post subject: |
|
|
The kernel disallows creating a user namespace while in a chroot: kernel/user_namespace.c: |
/*
* Verify that we can not violate the policy of which files
* may be accessed that is specified by the root directory,
* by verifying that the root directory is at the root of the
* mount namespace which allows all files to be accessed.
*/
ret = -EPERM;
if (current_chrooted())
goto fail_dec; |
That Wiki fragment has a Useless Use of Cat. Additionally, when using unshare, it can set the root directory on its own, without needing to run the program chroot.
More generally, that script looks rather confused. I don't see why it even uses unshare -m, but if it assumes the availability of mount namespaces, then it ought to use those to handle cleaning out the bind mounts at the end, rather than relying on an explicit set of umount calls. |
|
Back to top |
|
|
Rockman8 n00b
Joined: 19 Sep 2023 Posts: 38
|
|
Back to top |
|
|
flexibeast Guru
Joined: 04 Apr 2022 Posts: 473 Location: Naarm/Melbourne, Australia
|
|
Back to top |
|
|
|