is it possible to use umu inside bwrap

Open-Wine-Components / umu-launcher

GNU General Public License v3.0

919 stars 21 forks source link

is it possible to use umu inside bwrap #130

Open beh-10257 opened 6 days ago

beh-10257 commented 6 days ago

basically I use nixos but thats not really relevant I have this error

and I have no idea how to fix it basically if someone was able just to run umu in bwrap just send the command

R1kaB3rN commented 6 days ago

Yes, it's possible to use bwrap with umu as long as the sandbox is setup properly and the IPC namespace is shared. And I'm guessing you ran into the KeyError because your custom script runs umu under bwrap and is creating new namespaces? I don't know what's in your script, but I think unsharing the user namespace and setting the --uid option may be related to the KeyError as I expect that error to not happen under normal circumstances.

R1kaB3rN commented 6 days ago

Also, I had thoughts to implement creating custom bwrap containers in the next release to allow modifying the filesystem (e.g., not exposing the entire home directory). However, this use case would be very niche and it would be in the configuration file usage. For example:

[umu] game_id = 'flowers' exe = '/home/foo/Games/umu/flowers/drive_c/GOG Games/Flowers - Le Volume Sur Printemps/FLOWERS.exe' prefix = '/home/foo/Games/umu/flowers' proton = '/home/foo/.local/share/Steam/compatibilitytools.d/GE-Proton9-7' sandbox = true # Unshares the home directory and only exposes what's necessary

[[bwrap.bind]] # Mounts the winetricks cache to the sandbox src = "/home/foo/.cache/winetricks" dest = "/home/foo/.cache/winetricks"

R1kaB3rN commented 6 days ago

By the way, since it seems you use bwrap, umu sources it's own copy of bwrap so you actually don't need to install the bwrap package. You can find it in $HOME/.local/share/umu/pressure-vessel/libexec/steam-runtime-tools-0/srt-bwrap

beh-10257 commented 6 days ago

Yes, it's possible to use bwrap with umu as long as the sandbox is setup properly and the IPC namespace is shared. And I'm guessing you ran into the KeyError because your custom script runs umu under bwrap and is creating new namespaces? I don't know what's in your script, but I think unsharing the user namespace and setting the --uid option may be related to the KeyError as I expect that error to not happen under normal circumstances.

can you give me a script with this actually working this is mine

export VKBASALT_CONFIG_FILE=/home/behe/Games/Genshin-Impact/vkBasalt.conf
export ENABLE_VKBASALT=0
export DXVK_CONFIG_FILE=/home/behe/Games/Genshin-Impact/dxvk.conf
export WINEPREFIX=/home/behe/Games/HOLLOW-KNIGHT
export GAMEID=0
export MANGOAPP_CONFIGFILE=~/.config/MangoHud/MangoHud.conf
export MANGOHUD=0
bwrap \
--die-with-parent \
--dev /dev \
--proc /proc \
--ro-bind /sys /sys \
--ro-bind /nix /nix \
--ro-bind $XDG_RUNTIME_DIR $XDG_RUNTIME_DIR \
--ro-bind /home/behe/.config/MangoHud/MangoHud.conf /home/behe/.config/MangoHud/MangoHud.conf \
--ro-bind /home/behe/Games/Shaders /home/behe/Games/Shaders \
--ro-bind /etc/fonts /etc/fonts \
--ro-bind /lib64 /lib64 \
--ro-bind /lib /lib \
--ro-bind /etc/localtime /etc/localtime \
--ro-bind /etc/host.conf /etc/host.conf \
--ro-bind /etc/zoneinfo /etc/zoneinfo \
--ro-bind /etc/resolv.conf /etc/resolv.conf \
--ro-bind /etc/nsswitch.conf /etc/nsswitch.conf \
--ro-bind /etc/hosts /etc/hosts \
--ro-bind /etc/profiles/per-user/behe /etc/profiles/per-user/behe \
--ro-bind /etc/static/profiles/per-user/behe /etc/static/profiles/per-user/behe \
--ro-bind $XDG_DATA_HOME/icons $XDG_DATA_HOME/icons \
--ro-bind $XDG_DATA_HOME/themes $XDG_DATA_HOME/themes \
--ro-bind $HOME/.config/gtk-4.0 $HOME/.config/gtk-4.0 \
--ro-bind $HOME/.config/gtk-3.0 $HOME/.config/gtk-3.0 \
--ro-bind /run/current-system/sw/bin /run/current-system/sw/bin \
--ro-bind /run/current-system/sw/share/vulkan/implicit_layer.d /run/current-system/sw/share/vulkan/implicit_layer.d \
--ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \
--ro-bind /sys/dev/char /sys/dev/char \
--ro-bind /run/opengl-driver /run/opengl-driver \
--ro-bind /run/opengl-driver-32 /run/opengl-driver-32 \
--ro-bind $HOME/.Xresources $HOME/.Xresources \
--perms 0700 \
--dir /tmp/.wine-1000 \
--bind $WINEPREFIX $WINEPREFIX \
--bind $HOME/.cache/mesa_shader_cache $HOME/.cache/mesa_shader_cache \
--bind $HOME/.cache/python $HOME/.cache/python \
--bind $HOME/.local/share/umu/ $HOME/.local/share/umu/ \
--bind $HOME/.local/share/Steam/compatibilitytools.d $HOME/.local/share/Steam/compatibilitytools.d \
--dev-bind /dev/dri /dev/dri \
--dev-bind /dev/input /dev/input \
--setenv XDG_RUNTIME_DIR $XDG_RUNTIME_DIR \
--setenv DISPLAY $DISPLAY \
--setenv WINEPREFIX $WINEPREFIX \
--setenv PATH $PATH \
--setenv GAMEID $GAMEID \
--setenv HOME $HOME \
--setenv MANGOHUD $MANGOHUD \
--setenv VKBASALT_CONFIG_FILE $VKBASALT_CONFIG_FILE \
--setenv ENABLE_VKBASALT $ENABLE_VKBASALT \
--setenv DXVK_CONFIG_FILE $DXVK_CONFIG_FILE \
-- \
umu $WINEPREFIX/drive_c/Hollow_Knight/hollow_knight.exe

beh-10257 commented 6 days ago

Also, I had thoughts to implement creating custom bwrap containers in the next release to allow modifying the filesystem (e.g., not exposing the entire home directory). However, this use case would be very niche and it would be in the configuration file usage. For example:

[umu] game_id = 'flowers' exe = '/home/foo/Games/umu/flowers/drive_c/GOG Games/Flowers - Le Volume Sur Printemps/FLOWERS.exe' prefix = '/home/foo/Games/umu/flowers' proton = '/home/foo/.local/share/Steam/compatibilitytools.d/GE-Proton9-7' sandbox = true # Unshares the home directory and only exposes what's necessary [[bwrap.bind]] # Mounts the winetricks cache to the sandbox src = "/home/foo/.cache/winetricks" dest = "/home/foo/.cache/winetricks"

this would be epic to be honest just removing access from my home directory is what I use bwrap for in the first place

R1kaB3rN commented 5 days ago

Yes, it's possible to use bwrap with umu as long as the sandbox is setup properly and the IPC namespace is shared. And I'm guessing you ran into the KeyError because your custom script runs umu under bwrap and is creating new namespaces? I don't know what's in your script, but I think unsharing the user namespace and setting the --uid option may be related to the KeyError as I expect that error to not happen under normal circumstances.

can you give me a script with this actually working this is mine

export VKBASALT_CONFIG_FILE=/home/behe/Games/Genshin-Impact/vkBasalt.conf
export ENABLE_VKBASALT=0
export DXVK_CONFIG_FILE=/home/behe/Games/Genshin-Impact/dxvk.conf
export WINEPREFIX=/home/behe/Games/HOLLOW-KNIGHT
export GAMEID=0
export MANGOAPP_CONFIGFILE=~/.config/MangoHud/MangoHud.conf
export MANGOHUD=0
bwrap \
--die-with-parent \
--dev /dev \
--proc /proc \
--ro-bind /sys /sys \
--ro-bind /nix /nix \
--ro-bind $XDG_RUNTIME_DIR $XDG_RUNTIME_DIR \
--ro-bind /home/behe/.config/MangoHud/MangoHud.conf /home/behe/.config/MangoHud/MangoHud.conf \
--ro-bind /home/behe/Games/Shaders /home/behe/Games/Shaders \
--ro-bind /etc/fonts /etc/fonts \
--ro-bind /lib64 /lib64 \
--ro-bind /lib /lib \
--ro-bind /etc/localtime /etc/localtime \
--ro-bind /etc/host.conf /etc/host.conf \
--ro-bind /etc/zoneinfo /etc/zoneinfo \
--ro-bind /etc/resolv.conf /etc/resolv.conf \
--ro-bind /etc/nsswitch.conf /etc/nsswitch.conf \
--ro-bind /etc/hosts /etc/hosts \
--ro-bind /etc/profiles/per-user/behe /etc/profiles/per-user/behe \
--ro-bind /etc/static/profiles/per-user/behe /etc/static/profiles/per-user/behe \
--ro-bind $XDG_DATA_HOME/icons $XDG_DATA_HOME/icons \
--ro-bind $XDG_DATA_HOME/themes $XDG_DATA_HOME/themes \
--ro-bind $HOME/.config/gtk-4.0 $HOME/.config/gtk-4.0 \
--ro-bind $HOME/.config/gtk-3.0 $HOME/.config/gtk-3.0 \
--ro-bind /run/current-system/sw/bin /run/current-system/sw/bin \
--ro-bind /run/current-system/sw/share/vulkan/implicit_layer.d /run/current-system/sw/share/vulkan/implicit_layer.d \
--ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \
--ro-bind /sys/dev/char /sys/dev/char \
--ro-bind /run/opengl-driver /run/opengl-driver \
--ro-bind /run/opengl-driver-32 /run/opengl-driver-32 \
--ro-bind $HOME/.Xresources $HOME/.Xresources \
--perms 0700 \
--dir /tmp/.wine-1000 \
--bind $WINEPREFIX $WINEPREFIX \
--bind $HOME/.cache/mesa_shader_cache $HOME/.cache/mesa_shader_cache \
--bind $HOME/.cache/python $HOME/.cache/python \
--bind $HOME/.local/share/umu/ $HOME/.local/share/umu/ \
--bind $HOME/.local/share/Steam/compatibilitytools.d $HOME/.local/share/Steam/compatibilitytools.d \
--dev-bind /dev/dri /dev/dri \
--dev-bind /dev/input /dev/input \
--setenv XDG_RUNTIME_DIR $XDG_RUNTIME_DIR \
--setenv DISPLAY $DISPLAY \
--setenv WINEPREFIX $WINEPREFIX \
--setenv PATH $PATH \
--setenv GAMEID $GAMEID \
--setenv HOME $HOME \
--setenv MANGOHUD $MANGOHUD \
--setenv VKBASALT_CONFIG_FILE $VKBASALT_CONFIG_FILE \
--setenv ENABLE_VKBASALT $ENABLE_VKBASALT \
--setenv DXVK_CONFIG_FILE $DXVK_CONFIG_FILE \
-- \
umu $WINEPREFIX/drive_c/Hollow_Knight/hollow_knight.exe

Do you mind bind /etc/passwd to the sandbox then rerunning the command? The password database module requires this file to be accessible.

beh-10257 commented 5 days ago

ok that removed that issue now another issue popped up

also for what its worth if I get this working I'll obviously put the script here just so other people can use it as well

beh-10257 commented 5 days ago

@R1kaB3rN ok I made it work heres the final script

export VKBASALT_CONFIG_FILE=/home/behe/Games/Genshin-Impact/vkBasalt.conf
export ENABLE_VKBASALT=0
export DXVK_CONFIG_FILE=/home/behe/Games/Genshin-Impact/dxvk.conf
export WINEPREFIX=/home/behe/Games/HOLLOW-KNIGHT
export GAMEID=0
export MANGOAPP_CONFIGFILE=~/.config/MangoHud/MangoHud.conf
export MANGOHUD=0
bwrap \
--die-with-parent \
--dev /dev \
--proc /proc \
--ro-bind /sys /sys \
--ro-bind /nix /nix \
--ro-bind $XDG_RUNTIME_DIR $XDG_RUNTIME_DIR \
--ro-bind /home/behe/.config/MangoHud/MangoHud.conf /home/behe/.config/MangoHud/MangoHud.conf \
--ro-bind /home/behe/Games/Shaders /home/behe/Games/Shaders \
--ro-bind /etc/fonts /etc/fonts \
--ro-bind /lib64 /lib64 \
--ro-bind /lib /lib \
--ro-bind /etc/localtime /etc/localtime \
--ro-bind /etc/host.conf /etc/host.conf \
--ro-bind /etc/zoneinfo /etc/zoneinfo \
--ro-bind /etc/resolv.conf /etc/resolv.conf \
--ro-bind /etc/nsswitch.conf /etc/nsswitch.conf \
--ro-bind /etc/hosts /etc/hosts \
--ro-bind /etc/profiles/per-user/behe /etc/profiles/per-user/behe \
--ro-bind /etc/static/profiles/per-user/behe /etc/static/profiles/per-user/behe \
--ro-bind $XDG_DATA_HOME/icons $XDG_DATA_HOME/icons \
--ro-bind $XDG_DATA_HOME/themes $XDG_DATA_HOME/themes \
--ro-bind $HOME/.config/gtk-4.0 $HOME/.config/gtk-4.0 \
--ro-bind $HOME/.config/gtk-3.0 $HOME/.config/gtk-3.0 \
--ro-bind /run/current-system/sw/bin /run/current-system/sw/bin \
--ro-bind /run/current-system/sw/share/vulkan/implicit_layer.d /run/current-system/sw/share/vulkan/implicit_layer.d \
--ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \
--ro-bind /sys/dev/char /sys/dev/char \
--ro-bind /run/opengl-driver /run/opengl-driver \
--ro-bind /run/opengl-driver-32 /run/opengl-driver-32 \
--ro-bind $HOME/.Xresources $HOME/.Xresources \
--ro-bind /etc/passwd /etc/passwd \
--ro-bind /etc/ssl /etc/ssl \
--ro-bind /etc/static /etc/static \
--perms 0700 \
--dir /tmp/.wine-1000 \
--bind $WINEPREFIX $WINEPREFIX \
--bind $HOME/.cache/mesa_shader_cache $HOME/.cache/mesa_shader_cache \
--bind $HOME/.cache/python $HOME/.cache/python \
--bind $HOME/.local/share/umu/ $HOME/.local/share/umu/ \
--bind $HOME/.local/share/Steam/compatibilitytools.d $HOME/.local/share/Steam/compatibilitytools.d \
--dev-bind /dev/dri /dev/dri \
--dev-bind /dev/input /dev/input \
--setenv XDG_RUNTIME_DIR $XDG_RUNTIME_DIR \
--setenv DISPLAY $DISPLAY \
--setenv WINEPREFIX $WINEPREFIX \
--setenv PATH $PATH \
--setenv GAMEID $GAMEID \
--setenv HOME $HOME \
--setenv MANGOHUD $MANGOHUD \
--setenv VKBASALT_CONFIG_FILE $VKBASALT_CONFIG_FILE \
--setenv ENABLE_VKBASALT $ENABLE_VKBASALT \
--setenv DXVK_CONFIG_FILE $DXVK_CONFIG_FILE \
-- \
umu $WINEPREFIX/drive_c/Hollow_Knight/hollow_knight.exe
#umu explorer

beh-10257 commented 2 days ago

@R1kaB3rN actually I can unshare everything except --unshare-net

even when doing umu explorer I guess this is an umu issue like why does it require internet connection ??

heres the video of the problem: https://github.com/Open-Wine-Components/umu-launcher/assets/77834479/f33afca7-37ed-41c1-b096-e1295b20df38

heres the script:

export VKBASALT_CONFIG_FILE=/home/behe/Games/Genshin-Impact/vkBasalt.conf
export ENABLE_VKBASALT=0
export DXVK_CONFIG_FILE=/home/behe/Games/Genshin-Impact/dxvk.conf
export WINEPREFIX=/home/behe/Games/HOLLOW-KNIGHT
export GAMEID=0
export MANGOAPP_CONFIGFILE=~/.config/MangoHud/MangoHud.conf
export MANGOHUD=0
export PROTONPATH=GE-Proton
bwrap \
--unshare-cgroup \
--unshare-uts \
--unshare-pid \
--unshare-ipc \
--unshare-user \
--die-with-parent \
--dev /dev \
--proc /proc \
--ro-bind /sys /sys \
--ro-bind /nix /nix \
--ro-bind $XDG_RUNTIME_DIR $XDG_RUNTIME_DIR \
--ro-bind /home/behe/.config/MangoHud/MangoHud.conf /home/behe/.config/MangoHud/MangoHud.conf \
--ro-bind /home/behe/Games/Shaders /home/behe/Games/Shaders \
--ro-bind /etc/fonts /etc/fonts \
--ro-bind /lib64 /lib64 \
--ro-bind /lib /lib \
--ro-bind /etc/localtime /etc/localtime \
--ro-bind /etc/host.conf /etc/host.conf \
--ro-bind /etc/zoneinfo /etc/zoneinfo \
--ro-bind /etc/resolv.conf /etc/resolv.conf \
--ro-bind /etc/nsswitch.conf /etc/nsswitch.conf \
--ro-bind /etc/hosts /etc/hosts \
--ro-bind /etc/profiles/per-user/behe /etc/profiles/per-user/behe \
--ro-bind /etc/static/profiles/per-user/behe /etc/static/profiles/per-user/behe \
--ro-bind $XDG_DATA_HOME/icons $XDG_DATA_HOME/icons \
--ro-bind $XDG_DATA_HOME/themes $XDG_DATA_HOME/themes \
--ro-bind $HOME/.config/gtk-4.0 $HOME/.config/gtk-4.0 \
--ro-bind $HOME/.config/gtk-3.0 $HOME/.config/gtk-3.0 \
--ro-bind /run/current-system/sw/bin /run/current-system/sw/bin \
--ro-bind /run/current-system/sw/share/vulkan/implicit_layer.d /run/current-system/sw/share/vulkan/implicit_layer.d \
--ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \
--ro-bind /sys/dev/char /sys/dev/char \
--ro-bind /run/opengl-driver /run/opengl-driver \
--ro-bind /run/opengl-driver-32 /run/opengl-driver-32 \
--ro-bind $HOME/.Xresources $HOME/.Xresources \
--ro-bind /etc/passwd /etc/passwd \
--ro-bind /etc/ssl /etc/ssl \
--ro-bind /etc/machine-id /etc/machine-id \
--ro-bind /etc/static /etc/static \
--ro-bind $DXVK_CONFIG_FILE $DXVK_CONFIG_FILE \
--perms 0700 \
--dir /tmp/.wine-1000 \
--bind $WINEPREFIX $WINEPREFIX \
--bind $HOME/.cache/mesa_shader_cache $HOME/.cache/mesa_shader_cache \
--bind $HOME/.cache/python $HOME/.cache/python \
--bind $HOME/.local/share/umu/ $HOME/.local/share/umu/ \
--bind $HOME/.local/share/Steam/compatibilitytools.d $HOME/.local/share/Steam/compatibilitytools.d \
--dev-bind /dev/dri /dev/dri \
--dev-bind /dev/input /dev/input \
--setenv XDG_RUNTIME_DIR $XDG_RUNTIME_DIR \
--setenv DISPLAY $DISPLAY \
--setenv WINEPREFIX $WINEPREFIX \
--setenv PATH $PATH \
--setenv GAMEID $GAMEID \
--setenv HOME $HOME \
--setenv MANGOHUD $MANGOHUD \
--setenv VKBASALT_CONFIG_FILE $VKBASALT_CONFIG_FILE \
--setenv ENABLE_VKBASALT $ENABLE_VKBASALT \
--setenv DXVK_CONFIG_FILE $DXVK_CONFIG_FILE \
-- \
umu explorer

R1kaB3rN commented 2 days ago

Even after watching the video, I don't have enough information to determine the problem and you'll need to at least upload a wine traceback because, certainly, something occurs when control is given to wine.

Though I don't know how wine explorer works, I do know that using --unshare-net should pose no problem as long as the sandbox is set correctly and the executable doesn't require internet to fully function because I've been using that option for a while.

cryptonaus commented 2 days ago

Also, I had thoughts to implement creating custom bwrap containers in the next release to allow modifying the filesystem (e.g., not exposing the entire home directory). However, this use case would be very niche and it would be in the configuration file usage...

This would be appreciated. When I heard about umu launcher, I was concerned about layered containerization—specifically for the use case expressed in this issue. You call this a "very niche" use case, but I don't think it has to be that way: combined with structured data about game directories (that anyone can contribute and everyone can share) and store information, almost everyone could benefit from this setup. I currently use bubblewrap to make backing up game saves trivial and simultaneously support multiple couch users, providing a console-like experience. Switching users re-uses the same installation (and shader caches, etc.), but bubblewrap just binds different save paths.

[umu] game_id = 'flowers' exe = '/home/foo/Games/umu/flowers/drive_c/GOG Games/Flowers - Le Volume Sur Printemps/FLOWERS.exe' prefix = '/home/foo/Games/umu/flowers' proton = '/home/foo/.local/share/Steam/compatibilitytools.d/GE-Proton9-7' sandbox = true # Unshares the home directory and only exposes what's necessary

[directories] # Mount the directories as subdirectories of the below config = "/home/foo/.config/umu/flowers" cache = "/home/foo/.cache/umu/flowers"" saves = "/home/foo/Documents/saves/flowers" # Maybe read an env variable or replace with launcher to specify a different path

Just food for thought.