Comment by Arnavion
2 years ago
Hacked it together myself.
I have a Containerfile with docker.io/library/ubuntu:22.04 base and a RUN step that installs steam + mesa-vulkan-drivers + some other GL and audio libs + 32-bit versions of those, creates a user with the same UID as my user on the host, and adds it to the input group (for controller support).
Then I have a `~/.local/bin/steam` script that runs `podman container run --userns=keep-id` with parameters to pass through `/dev/dri` (for GPU), `/dev/input` (for controller), PulseAudio socket, X11 socket, and an empty directory as the home directory.
Every week or so when I reboot my PC for updates, I rebuild the container image with whatever is the latest ubuntu base image and other packages at the time.
`~/.local/bin/discord` is the same except it doesn't have the controller and GPU stuff, and it has a pre-processing step to download the Linux binary tarball from their website and unpack it into the home directory.
I'd share it but it's part of a big private personal repo. I might separate it out into a GitHub Gist or something later.
https://gist.github.com/Arnavion/81006757190c29aa0b24c674e24...
The first `#` line in each file is the path where that file should go.
Use ~/src/non-oss-container/build.sh to build the container image and ~/.local/bin/steam to run a Steam container using that image.
The Steam container-specific homedir will be ~/non-oss-root/steam
The default COMMAND runs Steam with the built-in web browser disabled. I don't use it so I keep it disabled, except that you can't uninstall games from the default view if the web browser is disabled. Launch Big Picture View and uninstall from there.
The X socket is mounted from the host, so if you're worried about malicious programs intercepting your other X windows or input devices, then this level of sandboxing will not help. (I don't care because I use a wayland compositor and run nothing of importance in Xwayland.) In this case you may want to consider running a nested X server like xephyr and mounting its socket in the container instead.
This is really cool, thanks for sharing! I might try this out as a sandboxing mechanism for a few of the apps I run.