
Steam for Linux client adds support for Linux namespaces - bdz
https://steamcommunity.com/app/221410/discussions/0/1638675549018366706/
======
frio
This is amazing work from Valve, but I have to admit some fear that it'll
eventually stop. They started to put a lot of work into Linux gaming/Steam
Machines when the Microsoft Store was a potential existential threat on
Windows, but with the multitude of stores now present -- Battle.net, Ubiplay,
Origin, Epic -- that no longer seems to be as terrifying as it once was. In
the meantime, their own survey indicates that only <1% of users are on Linux
([https://store.steampowered.com/hwsurvey/Steam-Hardware-
Softw...](https://store.steampowered.com/hwsurvey/Steam-Hardware-Software-
Survey-Welcome-to-Steam?platform=combined) \-- click the "OS Version" entry in
the table).

Still, as a full-time Linux user, I'm over the moon. I've always used Linux on
my development laptop, but struggled to keep it on my desktop because the lure
of gaming with remote friends has been too strong. However, after literally
decades of trying to give up Windows entirely, between Proton, kernel
contributions and efforts like this, I can play most of my backlog without
having to resort to dual-booting or even VFIO. Even many fresh releases work
without strife.

To anyone at Valve who reads HN: thanks. I know we're a tiny minority, and I'm
really grateful for the continued on-going support.

~~~
bscphil
> their own survey indicates that only <1% of users are on Linux

This is interesting to me because I spend 99.5% of my time on Linux (even for
most of my gaming), but I still boot into a different OS when I want to use
Steam, so I don't show up on the stat sheet. I wish I did. Two reasons I do
this:

1\. The Steam installation is kind of messy on my OS (Arch Linux). It involves
a big client that doesn't integrate into the OS very well, requires a lot of
32 bit compatibility libraries that I wouldn't otherwise need, and leaves a
bunch of large data files all over my home folder.

2\. It simply _feels_ weird and uncomfortable to run closed-source DRM-
including software on Linux. I can't explain it any better than that, because
it really is just a mental "purity" thing. I'd rather completely separate the
"foreign" software that I have this instinctive distrust for onto a separate
system entirely, where I already don't trust the OS.

I'm still grateful to Valve for the support, because it encourages developers
to get their software to run on Linux, even if most of the games I play are
DRM-free binaries purchased from the developer.

~~~
vkizl
To me it feels weird to use binaries from outside the repos, period. On
Windows double clicking an exe file feels natural. On Linux "chmod +x
something && ./something" is icky.

~~~
NullPrefix
You forgot sudo. IIRC Windows Steam asks for Admin rights.

~~~
matheusmoreira
Multiplayer Windows games in general ship anti-cheating software implemented
as _kernel modules_ that are more invasive than even draconian DRM.

~~~
vkizl
I've played several multiplayer games for Windows and I've only seen Fortnite
do this.

~~~
therein
Many "serious" multiplayer games will feature this. I mean VAC, EasyAntiCheat,
BattlEye. They all have a kernel module component.

------
ComputerGuru
_This is only tangential, but I realized I never wrote this down and figured
I’d take the opportunity._

Ever since Steam published their non-Windows clients, we randomly get support
requests from Steam users on Linux and macOS because the (all stacks)
backtrace contains references to the WFMO WIN32 events library I open sourced
many, many years back [0]. Always makes me smile though, my small contribution
to Linux gaming. (Somewhat ironically, even Microsoft now uses this for cross-
platform projects with VS Code being the primary example.)

I think all library developers (open source or otherwise) would probably do
well to adopt the etilqs hack, you never know where your code will end up.

[0]: [https://neosmart.net/blog/2011/waitformultipleobjects-and-
wi...](https://neosmart.net/blog/2011/waitformultipleobjects-and-win32-events-
for-linux-and-read-write-locks-for-windows/)

~~~
HeWhoLurksLate
Neat read, & thank you!

~~~
ComputerGuru
Thank you!

------
simosx
The main benefit is that it makes Steam not depend anymore on the installed
packages of the host Linux distribution.

Part of this is that Steam can still use 32-bit libraries even when the host
Linux distribution has fully moved to 64-bit.

See recent discussion at [https://ubuntu.com/blog/statement-
on-32-bit-i386-packages-fo...](https://ubuntu.com/blog/statement-
on-32-bit-i386-packages-for-ubuntu-19-10-and-20-04-lts)

While you would have expected from Valve to use an existing container
platform, they went ahead and used directly the security features of the Linux
kernel in Steam.

~~~
AnIdiotOnTheNet
> The main benefit is that it makes Steam not depend anymore on the installed
> packages of the host Linux distribution.

Now if only most other Linux software could do that.

~~~
baroffoos
Its not needed since most linux software is open source and gets packaged
properly for each distro.

~~~
AnIdiotOnTheNet
And when it isn't one of those things, well, fuck you I guess. That's one of
the biggest reasons I think a lot of people don't use Linux, yet the Linux
Desktop community consistently ignores and dismisses the issue and then
wonders why Linux Desktop isn't more popular.

~~~
jdnenej
Flatpak exists to solve this problem.

~~~
AnIdiotOnTheNet
Flatpak unfortunately has other issues inherited from a repo-based approach.
Like, it can't be installed to a separate disk than the rest of the system and
you can't use anything not in your repo, forcing you to setup pretty much 1
repo/application, which is ridiculous.

~~~
imtringued
That didn't stop macos or android devs from uploading their apps to the play
store and app store.

~~~
AnIdiotOnTheNet
Oh you mean those stores developers are constantly complaining about because
of entry barriers and having no recourse when their software is arbitrarily
booted out? Or the ones where users complain that they can't get older
versions of software and have difficulty legitimate apps in seas of fakes?

Repo models are antithetical to the concept of personal computing in my
opinion.

------
sha666sum
Something nobody else seems to have said here, is that Valve's work on Linux,
Proton, streaming from one device to another (even phones), etc, puts them in
an excellent position for cloud gaming, as pointed out by [1]. Namespaces
support seems like an obvious next step here.

Valve is already in the best position for this, since they're the dominant
market player and gamers already have their game libraries in Steam. Buying a
game from Valve makes more sense than buying a game from Google Steam users
get to keep a playable product even if the streaming product is a flop.

[1] [https://www.gamingonlinux.com/articles/looks-like-valve-
coul...](https://www.gamingonlinux.com/articles/looks-like-valve-could-be-set-
to-launch-something-called-steam-cloud-gaming.15354)

------
fonkyyack
I recently moved to Linux as a primary (and only os). I was a windows user
because of games and I was so fed up with automatic updates, privacy concerns
and so on that I decided to fully go to Linux. I searched a lot over internet
before choosing a distrib (I'm not pro Deb or rhel or else) so I ended up with
Manjaro (KDE version). And it such a delight fully customizable. Steam
installed with some of my games working without doing anything "complicated",
I was impressed! And then I installed lutris for all non native games. I
expected much much troubles but in fact, it was easy. I installed Epic games
store first and oxenfree just to test. It runs smoothly! I also installed
Control (great game) in standalone still with lutris. I finished the games
with only two or three crashes. So yes gaming on Linux is not ideal it might
not be with the best performances also but it was much much easier than I
though before doing the big step from windows to Linux. I'll follow any new
improvements for gaming on Linux and I hope in the future that every store and
game will be accessible natively on Linux. And that more and more user have
the choice of the os they want!

------
Arnavion
There was that time the Steam client rm-rf'd your home directory because of a
typo in its wrapper shell script. Also, the client itself requires a bunch of
packages that I'd rather not install on my machine, because my distro packages
don't match what it wants, and because some of the packages it wants are
32-bit ones.

So I just run Steam itself in a Docker container. The home directory inside
the container is mounted to a subdirectory of my home on the host, so even if
Steam wipes everything from it the only thing I'd lose is Steam itself.

~~~
crummy
I didn't know you could run graphical apps in Docker. How does that work?

~~~
Arnavion

        rm -f ~/docker-games/root/.Xauthority
        touch ~/docker-games/root/.Xauthority
        xauth nlist "$DISPLAY" | sed -e 's/^..../ffff/' | xauth -f ~/docker-games/root/.Xauthority nmerge -
        chmod 0444 ~/docker-games/root/.Xauthority
    
        XSOCK="$(realpath /tmp/.X11-unix/*)"
    
        DBUS_SESSION_BUS_PATH="$(echo "$DBUS_SESSION_BUS_ADDRESS" | sed -e 's/^unix:path=//')"
    
        docker run -it --rm \
            --device '/dev/dri:/dev/dri' \
            -v "$XSOCK:$XSOCK" \
            -v "$(realpath ~/docker-games/root):/home/arnavion" \
            -v "$(realpath ~/.config/pulse/cookie):/home/arnavion/.config/pulse/cookie" \
            -v "$DBUS_SESSION_BUS_PATH:$DBUS_SESSION_BUS_PATH" \
            -e "DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS" \
            -e "DISPLAY=$DISPLAY" \
            -e "PULSE_SERVER=$(ip -4 addr show enp4s0 | grep -Po 'inet \K[^/]+'):4713" \
            -e 'XAUTHORITY=/home/arnavion/.Xauthority' \
            --shm-size '1G' \
            --hostname arnavion-docker-games \
            docker-games \
            $COMMAND
    

The XSOCK mount allows it to talk to the host X server, and the .Xauthority
mount allows it to auth with the host X server. Apart from that:

* ~/docker-games/root is the home directory inside the container.

* The DBUS mount and env var is to allow Steam to show its icon in the system tray of the host DE. There's also a symlink for `~/.steam/public/steam_tray_mono.png` -> `~/docker-games/root/.steam/public/steam_tray_mono.png` so that the host DE can find the icon based on the path inside the container.

* The pulseaudio mount and env var is to allow sound. It requires pulseaudio to be set up to allow network clients.

Here's the full gist:
[https://gist.github.com/Arnavion/3212232d0761d49d9636f796c5a...](https://gist.github.com/Arnavion/3212232d0761d49d9636f796c5a99e53)

------
haunter
Wish I can find it now but there was an obscure article 10 years ago or so,
maybe it wasn't an article even, which argued that the "desktop linux" will be
gaming only. Linux will be as is now, enterprise, business, programming etc +
gaming. But no middleground. Anyways just feels like we are closer and closer
to that

------
usr1106
There are 7 types of namespaces, I don't see it mentioned which types they
use.

Mount namespaces are not a big deal to use, as long as you freely bind-mount
from /dev and /sys whatever your software might need. The effect is mostly
protecting your home directory against both reading and modification and
isolating your system installations against version and configuration
conflicts.

Uid namespaces are really challenging if you try to make some complex software
system work. They give a lot of isolation from the host system, some would say
also new risks that the isolation has unexpected privilege escalations.

Disclaimer: Not a gamer on any platform, so I don't know Steam other than from
hearsay that it's the only serious one running on Linux.

------
Yuioup
Is there a list of games that actively take advantage of containerization
(i.e. old libraries, etc..)?

For example, I can't run the GOG version of Legend of Grimrock on Fedora 31
because of libraries. This is the type thing that would that problem.

------
perlgeek
(How) does this affect graphics performance? And how does the container
communicate with the graphics engine? Just an X11 socket linked into the
container?

~~~
dastx
> (How) does this affect graphics performance?

Namespaces are default feature within the Linux Kernel. If a process isn't
isolated in any way, it's automatically assigned the default namespace. So
what they've done is simply run the game processes in the a separate
namespace. Therefore there should be negligible performance impact if at all.

------
myrloc
Can someone please do an ELI5 for Linux namespaces and why this is important
for a better Linux Steam client?

~~~
habitue
This isolates steam games from the rest of the things running on the machine,
which dramatically reduces the number of variables Valve has to consider for
supporting a Linux game. This means they can support more games with fewer
resources, or give better support to more games.

With namespaces and cgroups and chroot and bind mounts you can cobble together
an isolated linux distro running on the same kernel as yours. So for example,
Steam can target having a game run on Ubuntu 16.04, and ensure that it runs
well there, while you can go ahead and use Arch, or Fedora 31 or whatever.
It's like virtualization except that it doesn't translate every instruction,
it only adds some overhead to certain syscalls.

------
dottrap
Any opinions on which containers are easiest to get working on SteamOS? Any
links on how-to-guides for this?

------
shmerl
Is it using lxc?

~~~
BatteryMountain
Probably. I had that hunch too.. seems to be the shortest and cleanest path
the get namespaces. Maybe a subset of that library without allocating system
resources like a vm.

------
erichurkman
Maybe if they are back doing non-Microsoft build work, they can soon support
Mac with case-sensitive filesystems?

~~~
ripdog
Seems somewhat unlikely to me. Now that OpenGL is gone from MacOS, the Mac is
basically dead as a cross-platform gaming system. Who's going to rewrite their
renderer on Metal just to target such a tiny platform? Maybe if UE or Unity do
the work, games might still get Mac releases...

~~~
tmzt
There are libraries like [1] that expose a Vulkan api/abi on a Metal backend.

[1] [https://github.com/gfx-rs/gfx](https://github.com/gfx-rs/gfx)

~~~
yincrash
Valve uses MoltenVK[1] on their own games. They have used it since 2018 for
Dota 2[2], but I can't find a lot of uptake by others.

[1]
[https://github.com/KhronosGroup/MoltenVK](https://github.com/KhronosGroup/MoltenVK)
[2] [https://www.khronos.org/news/permalink/vulkan-support-for-
do...](https://www.khronos.org/news/permalink/vulkan-support-for-dota2-on-
macos-now-available)

