Privileged/Unprivileged Steam Container

Good Evening:

Recently I decided to containerize my Steam instance by way of Simos’ great how-to. I had to do some fidling to get audio to work, but I got it working (long short, Steam cannot be run as root and I could not get access to the pulseaudio socket without elevated privileges. The work around is to have a regular user launch steam via script from within the container:

#!/bin/bash

export PULSE_SERVER="unix:/home/ubuntu/pulse-native" &&
steam

Anywho, that seemed to work until I ran into another problem: I could not launch any games that relied on Proton. A little research showed a common error no matter what game I attempted to launch:

bwrap: Failed to make / slave: Permission denied

My first thought was that this was a privilege issue. So I decided to turn my previously unprivileged container into a privileged container via:

lxc config set steam security.nesting true

Viola! Everything works, now. However, now I am itchy. I am itchy because I know a privileged container is far less secure than an unprivileged container. I decided to containerize Steam because I know it is a a very large security target.

So my question is this, is there a way I could have achieved the same results without sacrificing security?

Thank you!

Hi @NetSpasibo79,
If you dont specify the container as privileged then launched unprivileged I suppose, so security.nesting is not the same as security.privileged parameter. When you change the configuration with security.nesting then that means you can launch another container inside that container.
So, your container is unprivileged.
Regards.

Huh. Thank you! Not surprisingly, there are some inaccurate “How-To’s” flooding out there, then.

Any idea as to why enabling security.nesting would fix the bwrap: Failed to make / slave: Permission denied issue?

Really I dont know, maybe @stgraber has an idea.
Regards.

The config showed in the description of that video properly handles running as a user by using LXD proxy devices with appropriate uid/gid rather than bind-mounts and similar tracks.

Last I played with steam (couple weeks ago), it all still worked fine.

1 Like