I like Debian 7 and I appreciate the stability and the large number of software packages available. However, some of the software I need is not available in Debian Stable. And there are also packages I would like to access in Ubuntu Software Center, and over 100 Linux games on gog.com. Sounds familiar? In this article I describe my cross-distro Linux setup and how I handle newer Ubuntu software in older distros such as Debian 7.
I have a dual-boot setup. On one partition I have Debian 7. I spend most of my time here, this is my main Linux desktop. On a different partition I have Ubuntu 14.04. I used to boot into Ubuntu occasionally for playing games or for testing my software on a newer compiler tool chain. Not anymore! My new setup allows me to run programs on Ubuntu partition directly from Debian, without the need to boot back and forth between the two distros.
The key to this setup is to have the same user id set in both distributions. This happens by default if the first user you configure during install is the same in both distros. You can check it out by running id command in Debian and Ubuntu:
(I am user netblue and my user id is 1000) $ id uid=1000(netblue) gid=1000(netblue) groups=1000(netblue) ... $
On both Debian and Ubuntu I’ve installed Firejail. The download section of the project provides a generic .deb package for distributions based on Ubuntu or Debian (apt-get install firejail_X.Y.Z_1_amd64.deb). Arch, OpenSUSE, Fedora and Centos 7 are also supported.
Firejail is a SUID security sandbox that reduces the risk of security breaches using various features available in Linux kernel. It starts by mounting Ubuntu partition in a new filesystem namespace. This is described in LXC literature as a “chroot on steroids”. On top of this, a PID namespace provides process isolation. It is followed by a Linux capabilities filter that further restricts what can be done in the sandbox, and a seccomp-bpf filter. I use this program to run Ubuntu games directly from Debian.
I’ll take Warzone2100 as an example. The game is available only in Debian “jessie” and Ubuntu 14.04. I install it in Ubuntu, and back in Debian “wheezy” I mount Ubuntu partition using the file manager. In all the examples here I assume the partition is mounted under /media/ubuntu. Time to start the game using Firejail sandbox:
$ firejail --chroot=/media/ubuntu warzone2100
I start the sandbox in Debian as a regular user, and based on the user id discussed above, I am transferred into my user account inside Ubuntu. Then, the game begins.
Installing more games
You don’t have to leave Debian to install more games on Ubuntu. As root, start the sandbox and install AssautlCube as follows:
# firejail --chroot=/media/ubuntu Parent pid 3372, child pid 3373 Interface IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0 192.168.1.60 255.255.255.0 UP Child process initialized [root@debian netblue]$ apt-get install assaultcube ... [root@debian netblue]$ exit #
Once installed, run the game as a regular user:
$ firejail --chroot=/media/ubuntu assaultcube
If instead of games you are more interested in newer versions of some of your favorite productivity tools, the procedure is the same. For example to install OpenShot video editor run firejail –chroot=/media/ubuntu apt-get install openshot as root, and start the program as a regular user firejail –chroot=/media/ubuntu openshot:
The same way I handle Ubuntu apt-get update && apt-get upgrade from Debian.
Here are some more examples of Firejail usage.
Running a bash shell:
$ firejail --chroot=/media/ubuntu
Masking your existing user home directory in Ubuntu and replacing it with a new, empty one:
$ firejail --chroot=/media/ubuntu --private
Tracing network and file access – I’ll give a simple wget session as an example, a real game does hundreds of such accesses:
$ firejail --chroot=/media/ubuntu --trace wget -q debian.org Parent pid 3572, child pid 3573 Enforcing Linux capabilities and seccomp filters Interface IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0 192.168.1.60 255.255.255.0 UP Child process initialized 1:bash:open /dev/tty 1:wget:fopen64 /etc/wgetrc 1:wget:fopen /etc/hosts 1:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP 1:wget:connect 184.108.40.206:53 1:wget:socket AF_INET SOCK_STREAM IPPROTO_IP 1:wget:connect 220.127.116.11:80 1:wget:fopen /etc/hosts 1:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP 1:wget:connect 18.104.22.168:53 1:wget:socket AF_INET SOCK_STREAM IPPROTO_IP 1:wget:connect 22.214.171.124:80 1:wget:fopen64 index.html.2 1:wget:open64 /usr/lib/charset.alias parent is shutting down, bye... netblue@debian:~$
You can find more information about Firejail here.