3D Graphics init fails

[adeliktas]

I tried to run some lightweight app/game in an isolated sandwine environment with no network (like firejail --net=none) and restricted file access and not having to spin up gaming vm.

sandwine --x11 --dotwine ~/.wine:rw --pulseaudio --pass "/mnt/foo/games/randomgame":rw randomgame.exe

running the apps with sandwine fails when init. graphics. for Direct3D, OpenGL, ... AssaultCube fatal error: Unable to create OpenGL screen (No matching GL pixel format available) vulkan: No DRI3 support detected - required for presentation 0160:err:wgl:X11DRV_WineGL_InitOpenglInfo couldn't initialize OpenGL, expect problems 0160:err:d3d:wined3d_caps_gl_ctx_create Failed to find a suitable pixel format. 0160:err:d3d:wined3d_adapter_gl_init Failed to get a GL context for adapter 0000000000AA47E0. Xlib: extension "MIT-SHM" missing on display ":4". ...

Running the game via wine with ~/.wine wineprefix is working fine.

AMD Radeon RX 6600 XT Gentoo 6.7.3 gnome-44.3 XWayland wine-9.0 (Staging) bubblewrap 0.8.0

[hartwork]

Hi @adeliktas, which nested X11 did sandwine auto-detect and use for --x11 with you — X2Go nxagent or Xephyr or Xnest? My guess is that it would need one or two "files" shared with the sandbox more. Could try wrapping the whole thing with strace -F -efile and see if any open failures catch your attention, in particular from /dev or /proc?

[adeliktas]

Hi @adeliktas, which nested X11 did sandwine auto-detect and use for --x11 with you — X2Go nxagent or Xephyr or Xnest? My guess is that it would need one or two "files" shared with the sandbox more. Could try wrapping the whole thing with strace -F -efile and see if any open failures catch your attention, in particular from /dev or /proc?

x11 is running --nxagent the others are not available and --host-x11-danger-danger isn't working

i did try to pass multiple paths, but even when allowing full drive access with rw it will fail, so i suspect the problem lies elsewhere. strace -F -efile sandwine --x11 --dotwine ~/.wine:rw --pulseaudio --pass "/":rw "/mnt/foo/games":rw mygame.exe

i tried to troubleshoot the resulting bwrap and --unshare-all or rather --unshare-net is causing the issue. Make sure that your X server is running and that $DISPLAY is set correctly.

bwrap \
    --disable-userns \
    --die-with-parent \
    --hostname 049d86579199 \
    --unshare-user --unshare-all \
    --tmpfs / \
    --ro-bind /bin /bin \
    --dev /dev \
    --dev-bind /dev/dri /dev/dri \
    --ro-bind /etc /etc \
    --tmpfs /home/adeliktas \
    --bind /home/adeliktas/.wine /home/adeliktas/.wine \
    --ro-bind /lib /lib \
    --ro-bind /lib64 /lib64 \
    --bind /mnt/foo/games /mnt/foo/games \
    --proc /proc \
    --bind /run/user/1000/pulse/native /run/user/1000/pulse/native \
    --ro-bind /sys /sys \
    --tmpfs /tmp \
    --bind /tmp/.X11-unix/X4 /tmp/.X11-unix/X4 \
    --ro-bind /usr /usr \
    --clearenv \
    --setenv DISPLAY :4 \
    ...

So --unshare-user --unshare-all --share-net \ does make it run. It seems accessing the X server requires network access.

[hartwork]

Hi @adeliktas I cannot confirm that access to X would need network, e.g. sandwine --nxagent --no-wine -- kwrite shows up KWrite fine for me with no access to the network. I'm on Gentoo, too. Does the KWrite case work for you? Also: does your stack involve Wayland by chance — e.g. x11-base/xwayland — or this with x11-base/xorg-server?

[adeliktas]

Hi @adeliktas I cannot confirm that access to X would need network, e.g. sandwine --nxagent --no-wine -- kwrite shows up KWrite fine for me with no access to the network. I'm on Gentoo, too. Does the KWrite case work for you? Also: does your stack involve Wayland by chance — e.g. x11-base/xwayland — or this with x11-base/xorg-server?

I am also able to open other graphical apps like calculator. The issue only occurs when trying to run/open any 3D Graphics apps/games. I am running it on gnome-44.3 with wayland session or rather with XWayland

[hartwork]

@adeliktas thanks for the update, interesting. I have zero experience with Wayland, and my desktop environment is XFCE. I could try playing with the windows binaries of AssaultCube at some point, but my machines have non-gaming Intel graphics cards so it will take some luck and also some time. Any more details about the specific blocker in your setup will be helpful, and also reproducers crafted with --no-wine and using in-Gentoo Linux software could help speed things up by likely making things easier for me to reproduce. Thanks in advance!