For security reasons and to exclude from VPN for ping I wanted to have steam and other games isolated and wanted to share my config, based on Incus / LXD profile for GUI apps: Wayland, X11 and Pulseaudio but a bit simplified in that the whole /run/user/1000 directory is passed through and only the variables changed. This is not possible with the X11 directory, as many apps have the path hardcoded, so I made a link instead.
config:
raw.idmap: both 1000 1000
security.nesting: "true"
devices:
data-steam:
path: /data/steam
source: /data/steam
type: disk
host-run:
path: /mnt/.host-run
source: /run/user/1000
type: disk
host-x11:
path: /mnt/.host-x11
source: /tmp/.X11-unix
type: disk
inputdir:
path: /dev/input
source: /dev/input
type: disk
mygpu:
gid: "1000"
type: gpu
uid: "1000"
The guide assumes the uid of your user on the host and the guest are the same (1000). On the guest append the following to your .profile
#Wayland
export XDG_RUNTIME_DIR=/mnt/.host-run
export WAYLAND_DISPLAY=wayland-0
export XDG_SESSION_TYPE=wayland
export QT_QPA_PLATFORM=wayland
#XWayland
ln -sf /mnt/.host-x11/* /tmp/.X11-unix/
export DISPLAY=:0
export XAUTHORITY=$(ls /mnt/.host-run/.mutter-Xwaylandauth*)
#DBus
export DBUS_SESSION_BUS_ADDRESS=unix:path=/mnt/.host-run/bus
#Pulse
export PULSE_SERVER=unix:/mnt/.host-run/pulse/native
#PipeWire
export PIPEWIRE_REMOTE=unix:/mnt/.host-run/pipewire-0
This also survives a logout or reload of the display manager, as the XAUTHORITY is updated on any login.
To have gnome show the correct App Icon the hostname of the container needs to be changed to the same as the host, overwise Gnome simply refuses to load it.
Well also make sure your /etc/subuid and /etc/subgid look somwhat like this:
root:1000:1000000