Debian/Ubuntu Cross-distro Gaming with Firejail

I like Debian 7 and I appreciate the stability and the large number of software packages available. However, some of the software I need is not available in Debian Stable. And there are also packages I would like to access in Ubuntu Software Center, and over 100 Linux games on gog.com. Sounds familiar? In this article I describe my cross-distro Linux setup and how I handle newer Ubuntu software in older distros such as Debian 7.

Ubuntu 14.04 version of AssaultCube running on Debian 7

Ubuntu 14.04 version of AssaultCube running on Debian 7

Debian/Ubuntu setup

I have a dual-boot setup. On one partition I have Debian 7. I spend most of my time here, this is my main Linux desktop. On a different partition I have Ubuntu 14.04. I used to boot into Ubuntu occasionally for playing games or for testing my software on a newer compiler tool chain. Not anymore! My new setup allows me to run programs on Ubuntu partition directly from Debian, without the need to boot back and forth between the two distros.

The key to this setup is to have the same user id set in both distributions. This happens by default if the first user you configure during install is the same in both distros. You can check it out by running id command in Debian and Ubuntu:

(I am user netblue and my user id is 1000)
$ id
uid=1000(netblue) gid=1000(netblue) groups=1000(netblue) ...
$

On both Debian and Ubuntu I’ve installed Firejail. The download section of the project provides a generic .deb package for distributions based on Ubuntu or Debian (apt-get install firejail_X.Y.Z_1_amd64.deb). Arch, OpenSUSE, Fedora and Centos 7 are also supported.

Firejail is a SUID security sandbox that reduces the risk of security breaches using various features available in Linux kernel. It starts by mounting Ubuntu partition in a new filesystem namespace. This is described in LXC literature as a “chroot on steroids”. On top of this, a PID namespace provides process isolation. It is followed by a Linux capabilities filter that further restricts what can be done in the sandbox, and a seccomp-bpf filter. I use this program to run Ubuntu games directly from Debian.

Running games

I’ll take Warzone2100 as an example. The game is available only in Debian “jessie” and Ubuntu 14.04. I install it in Ubuntu, and back in Debian “wheezy” I mount Ubuntu partition using the file manager. In all the examples here I assume the partition is mounted under /media/ubuntu. Time to start the game using Firejail sandbox:

$ firejail --chroot=/media/ubuntu warzone2100

I start the sandbox in Debian as a regular user, and based on the user id discussed above, I am transferred into my user account inside Ubuntu. Then, the game begins.

Ubuntu 14.04 version of Warzone2100 running in Debian 7

Ubuntu 14.04 version of Warzone2100 running in Debian 7

Installing more games

You don’t have to leave Debian to install more games on Ubuntu. As root, start the sandbox and install AssautlCube as follows:

# firejail --chroot=/media/ubuntu
Parent pid 3372, child pid 3373
Interface           IP                  Mask                Status              
lo                  127.0.0.1           255.0.0.0           UP                  
eth0                192.168.1.60        255.255.255.0       UP                  

Child process initialized
[root@debian netblue]$ apt-get install assaultcube
...
[root@debian netblue]$ exit
#

Once installed, run the game as a regular user:

$ firejail --chroot=/media/ubuntu assaultcube

If instead of games you are more interested in newer versions of some of your favorite productivity tools, the procedure is the same. For example to install OpenShot video editor run firejail –chroot=/media/ubuntu apt-get install openshot as root, and start the program as a regular user firejail –chroot=/media/ubuntu openshot:

Ubuntu 14.04 version of OpenShot running on Debian 7

Ubuntu 14.04 version of OpenShot running on Debian 7

The same way I handle Ubuntu apt-get update && apt-get upgrade from Debian.

More options

Here are some more examples of Firejail usage.

Running a bash shell:

$ firejail --chroot=/media/ubuntu

Masking your existing user home directory in Ubuntu and replacing it with a new, empty one:

$ firejail --chroot=/media/ubuntu --private

Tracing network and file access – I’ll give a simple wget session as an example, a real game does hundreds of such accesses:

$ firejail --chroot=/media/ubuntu --trace wget -q debian.org
Parent pid 3572, child pid 3573
Enforcing Linux capabilities and seccomp filters
Interface           IP                  Mask                Status              
lo                  127.0.0.1           255.0.0.0           UP                  
eth0                192.168.1.60        255.255.255.0       UP                  

Child process initialized
1:bash:open /dev/tty
1:wget:fopen64 /etc/wgetrc
1:wget:fopen /etc/hosts
1:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP
1:wget:connect 8.8.8.8:53
1:wget:socket AF_INET SOCK_STREAM IPPROTO_IP
1:wget:connect 5.153.231.4:80
1:wget:fopen /etc/hosts
1:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP
1:wget:connect 8.8.8.8:53
1:wget:socket AF_INET SOCK_STREAM IPPROTO_IP
1:wget:connect 128.31.0.62:80
1:wget:fopen64 index.html.2
1:wget:open64 /usr/lib/charset.alias

parent is shutting down, bye...
netblue@debian:~$ 

You can find more information about Firejail here.

Advertisements

5 thoughts on “Debian/Ubuntu Cross-distro Gaming with Firejail

  1. Pingback: Links 27/10/2014: Lenovo Unbundling, Linux 3.18 RC2 | Techrights

  2. ice

    Thanks, great setup, but how do you get the x server to work ? When I do it from ubuntu 14.04 to ubuntu 14.04 or mint17 I only get x server errors, the only way I found is with the nest command, but thats horrible and is run in software not on the graphics card..

    Reply
  3. exo66

    do you think it’s possible that this would work between linux and windows with cygwin?
    i already tried firejail –chroot=/run/media/$USER/$PARTITION $GAME and it didn’t work because it couldn’t find /dev, would cygwin fix that? running windows games from linux with native performance would be amazing.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s