Steam in Docker (opens in new tab)

(hub.docker.com)

194 pointsarno19y ago76 comments

76 comments

58 comments · 16 top-level

castratikron9y ago· 9 in thread

Why would I want to do this?

At a guess it's to sandbox the Steam ecosystem? There was a Steam bug in the past where it would delete all contents of the user's home folder. I guess also Steam and its games are all closed source and people might not trust them as much.

_asummers9y ago

Bug: https://github.com/valvesoftware/steam-for-linux/issues/3671

HN discussion: https://news.ycombinator.com/item?id=8896186

I regularly reference the # scary! comment at work.

aidenn09y ago

I'm interested because linux distros not named "Ubuntu" have varying difficulties running steam. The distributions with smaller communities often will figure out how to do it, and then shortly a steam update breaks it. Or 32-bit games work but not 64, or vice-versa. Or ...

arno1OP9y ago

Yeah, one of the points which pushed me creating this image!

I have tested HL engine based games and CS:GO which has its csgo_linux64 binary, causing lots of people to complain they could not run it, since Steam itself is 32-bit one. With this image it is not a problem, since I am preloading all the necessary libraries. It, though, still needs some polishing... @all: I appreciate your advice / PR !

lisivka9y ago

Yeah, it is why we (Linux Users) hate proprietary software.

tormeh9y ago

I don't know much about Docker, but I know Steam for Linux is built for Ubuntu. Maybe Docker helps for distros like Fedora? The benefit is probably highest in the case of NixOS, because Steam changes stuff behind the scenes and so isn't really compatible with declarative package managers.

vertex-four9y ago

NixOS supports Steam wonderfully - it creates a half-container (alternate filesystem root, shared networking) which looks like what Steam expects, has full access to graphics drivers and your home directory, and can be executed like any other app (run "steam"). The full Docker infrastructure isn't really necessary.

arno1OP9y ago

@tormeh look at a Docker just like at a system that gets you the images (in "tar" archives) from the Docker Hub repo (or build them by yourself) and lets you run these "tar" images by leveraging the cgroups (Linux kernel abstraction feature that limits, isolates resource usage of a process). You may basically look at a Docker like at "chroot-on-steroids". And yes, it helps to run the images wherever you have Docker installed. There are few limitations though, especially when it comes to the point one needs to pass something from the host into a container (e.g. driver libraries, devices, special system paths or environment variables), since they may differ from distro to distro, from Platform to Platform.

aidenn09y ago

NixOS generates a FHS compliant chroot for steam to be installed to, so it can do whatever it wants in that playground.

fasterthanlime9y ago· 5 in thread

Interesting approach! I work on the itch.io app (functionality overlaps the Steam client somewhat, but with a different content offering / different way of running things) and we do address both concerns:

  * app isn't tied to / doesn't assume a Debian-ish distribution (we ship .deb, .rpm, a PKGBUILD, and a simple binary .tar.xz)
  * app uses firejail on Linux (sandbox-exec on macOS, different user on Windows) to "set up more fences around" games you download from the internet.

There's a bunch more features we want to add to the app (live video capture, see itchio/capsule on github, synced collections, etc.) — but isolating "downloaded apps" from the rest of the system seemed like a sensible prerequisite on the road to doing that.

I don't want to spam links, but if you're interested in our approach, you can probably search "itch.io sandbox" with your favorite search engine and stumble upon it :)

arno1OP9y ago

Thanks @fasterthanlime !

Is there something that the firejail does better than the Docker?

I can see the firejail also uses the namespaces and seccomp-bpf.

fasterthanlime9y ago

I suspect that this question was covered in the HN entry for firejail earlier today: https://news.ycombinator.com/item?id=12239840 - but in our case, it's just that it's lighter.

If I'm not mistaken, containers come with their own userland, if you want a useful graphical container you're in for a few hundred megabytes of dependencies, whereas sandboxing approaches (firejail, projectatomic/bubblewrap - used by flatpak for example) just try and limit what a process in the same user space has access to.

I wanted a solution that was low-overhead enough that it was a no-brainer for users to turn it on. However, it's not perfect: our sandbox policy could use tightening (as long as it doesn't break too much stuff), and having an additional SUID binary around is definitely something to look out for.

I'm hoping that more interest gathers around sandboxes and that they become more mainstream in Linux ecosystems. "Trusting package maintainers" only goes so far, and doesn't really account for third-parties shipping binary packages!

zokier9y ago

Interesting. How do you handle dependencies? That's one issue I've had with Steam, libraries on my machine do not match the ones the app presumes. Shipping binaries in different packages does not really solve that part of "assume debianish distro" problem.

arno1OP9y ago

The important part is to make sure that the ABI didn't change. Since Steam wants Debian-based distro, it then should be enough to keep the same. It's not a perfect way to go, but so far it works though. :-)

mobiuscog9y ago

Does it also use AppContainer on Windows ?

notthemessiah9y ago· 5 in thread

I made a separate user for using Steam (and other games), and it involved a little bit of routing when it comes to X11 and PulseAudio. My reason for doing so was primarily because of how games create many dotfiles, and I wanted my home folder clean.

ekianjo9y ago

Do you mind sharing how you did this in more details ? I am also not happy with the way Steam games put files in random locations...

notthemessiah9y ago

For PulseAudio: I needed to load a few modules that opened a TCP socket for myself between users (under TCP support with anonymous clients):

https://wiki.archlinux.org/index.php/PulseAudio/Examples#Pul...

Forgot exactly what I did with X11, but one part of it was having an environment variable that used my main users XAuthority

E.G. [gamer@mycomputer]$ echo $XAUTHORITY

/home/notthemessiah/.Xauthority

AckSyn9y ago

I did something similar by installing Steam to a chroot environment.

"Those who do not understand UNIX are condemned to reinvent it, poorly." -- Henry Spencer, programmer

This goes doubly for "containers" not understanding chroot/jails.

arno1OP9y ago

Well, there is a distinct difference between traditional chroot and the Linux control groups and namespaces.

If only chroot was enough, noone would be investing their time to the cgroups, namespaces, LXC, Docker, etc... :-)

jjnoakes9y ago

Are you suggesting that containers provide about what chroot provides?

Containers provide chroot-like behavior for more than just the filesystem. Processes, user IDs, network interfaces... Chroot is filesystem only.

cryptarch9y ago· 3 in thread

Is this meant to make uninstalling Steam easier than it is now?

Or is this an exercise in getting GUI applications with slightly exotic features (GPU access) to run?

I'd like to understand why this was made but it isn't described in the usage instructions.

arno1OP9y ago

I think it should be pretty obvious why people put things into containers :-)

Few main points though, which pushed me making this Docker container:

1. I want to set-up more fences when running the code I don't/can't trust;

2. I don't want to spend time on figuring out how to install Steam (what deps) in a non-Debian (or non-SteamOS) based distro;

3. I like cleanliness: I can erase Steam and all its dependencies in a matter of seconds;

4. Like you said, it was an interesting exercise and it still needs some polishing :-)

And few Pros from my PoV:

- I can have Steam on my Ubuntu/openSUSE/[put any other distro I will want to use] in a short time that Docker takes when downloads this Steam container;

- Since Steam is meant to run in Debian (SteamOS) based distro, it is not a problem anymore, since it is in a container now.

Gonzih9y ago

So you don't trust application code, but you trust image makers code?.

5 more replies

djsumdog9y ago

There's a Steam overlay in Gentoo, and it mostly works, but lately I've had a lot of issues with ATI's open source drivers and Steam, to the point where I just setup a windows machine for games.

This looks really promising though, and shows a practical use case for docker.

rlpb9y ago· 3 in thread

How does persistent state work with this? For example, what happens to my saved games? What if I update the image (for example to pick up a Steam update)? What will happen to those saved games?

arno1OP9y ago

Currently it is stored in a docker volume. (the data available at /var/lib/docker/volumes path)

But changing just one line in a docker-compose.yml file you can mount it wherever you want on your host. See "data:/home" in there.

You can write there "/home/your-user/mysteamdata:/home", so that all Steam games (caches, saves, ...) will be available for you at your home directory in "mysteamdata" directory ;-)

nostrebored9y ago

Mount volumes that correspond to save locations. The volume should be persistent so even if the image changes the data will remain.

rlpb9y ago

Aren't save locations different on a per-game basis? So does this need configuration? If not, then how does it work without user intervention?

1 more reply

voltagex_9y ago· 2 in thread

This is hardcoding driver versions: https://github.com/arno01/steam/blob/master/docker-compose.y...

Is there a better way?

arno1OP9y ago

I haven't come up with a better idea obviously. :-) Suggestions/PR's are greatly welcomed!

flx42_9y ago

At NVIDIA we maintain this utility: https://github.com/NVIDIA/nvidia-docker

It automatically discovers the devices and the right driver files on the host.

The main goal is compute (CUDA), but we also demonstrated how to run TF2 on Steam OS during our DockerCon 16 OpenForum presentation.

Nice job! :)

1 more reply

oDot9y ago· 2 in thread

Steam is exactly the kind of software that should be distributed using Flatpak[0].

[0] http://flatpak.org/

hobarrera9y ago

Sounds like an excellent plan to end up with outdated libraries and full of security holes.

appleflaxen9y ago

holy crap; that's cool! I had no idea it existed (maybe I came across it when it was still called xdg-apps... I definitely agree with the decision to change the name).

chrisper9y ago· 2 in thread

Why use docker instead of something like flatpak or snap?

snuxoll9y ago

Personally I'd love a Steam flatpak, but since the current images are based on Fedora AFAICT (no surprise there, GNOME/FreeDesktop project) it would take a lot more work since you'd have ta create a Debian/Ubuntu SDK to base it from.

arno1OP9y ago

Because Docker is enough and it does its job well? :-)

mastazi9y ago· 2 in thread

How is the GUI accessed? X11 socket sharing? Because I guess that for gaming both X11 over SSH and VNC would not perform very well...

arno1OP9y ago

The same way as every local application is accessing it, via a Unix domain socket /tmp/.X11-unix:/tmp/.X11-unix / DISPLAY=unix$DISPLAY :-)

This will give you a frame rate identical to your host, so there is no overhead running your 3D apps in the container.

Blaiz0r9y ago

Is there any overhead at all in using Steam (or anything) through Docker?

I'm not very familiar with using Docker.

1 more reply

shmerl9y ago· 2 in thread

I proposed the same idea for GOG and their Linux games a few years ago. At that time they didn't get the point.

ekianjo9y ago

They still don't, since they ask their Linux users to install tons of libraries on their own. Not that they really care about Linux anyway... (still not GOG Galaxy client...)

shmerl9y ago

Libraries are OK to install. You can do the same in the Docker container. What Docker does is better isolation from the rest of the system. You can do it yourself with cgroups / lxc, but Docker gives higher level management.

marcosnils9y ago· 2 in thread

Been there, done that. Here's a video where I run Counter Strike through steam in a docker container.

https://youtu.be/ZHWsR8TnKsw?t=801

PS: Audio is in spanish.

arno1OP9y ago

I bet there are dozens or maybe even hundreds of people who run CS in a container. What, I believe, makes the difference is that when one shares with the reproducible results. :-)

marcosnils9y ago

The video I posted is a complete tech talk about how achieved it :)

1 more reply

lhlmgr9y ago· 2 in thread

Could this improve or worsen the VAC mechanism?

arno1OP9y ago

It's absolutely irrelevant since Docker (cgroups) are just the Linux kernel abstraction which helps to isolate resources of the processes. And with this image the general idea is that it comes like a package, with "just take & run" approach, eliminating the need to depend on the specific Debian-based Linux distro (which is required by Steam and provided with this Docker image).

Then as discussed in this thread, it gives few security advantages, control benefits since those isolated resources are controllable.

lhlmgr9y ago

thanks a lot for this clarification!

ingenter9y ago· 1 in thread

I'm running steam in a systemd container, the main issues were sound and notifications: I don't understand how pulseaudio works, so I had to give share some system directories with the guest system to get the sound working. Notifications were solved by sharing dbus. GPU was shared by sharing a single directory in /dev with correct persmissions

arno1OP9y ago

@ingenter please refer to the docker-compose.yml file of the source repository.

To make pulseaudio work in a container, you basically want to pass these volumes from the host to a container:

- /etc/localtime:/etc/localtime:ro

- /etc/machine-id:/etc/machine-id:ro

- $XDG_RUNTIME_DIR/pulse:/run/user/1000/pulse

And then, this environment variable:

PULSE_SERVER=unix:$XDG_RUNTIME_DIR/pulse/native

skrowl9y ago· 1 in thread

How is the performance on this compared to a bare metal install?

IE how many FPS do you get with a native Steam install vs Dockerized Steam on the same hardware?

arno1OP9y ago

It's been already discussed in this thread. The performance impact should be negligible. I am having ~110-150 FPS with my nVidia 560 Ti in CS:GO , 1920x1080.

The precise testing haven't been done explicitly to measure increase/decrease. But feel free to test it. ;)

Hurtak9y ago· 1 in thread

How big is the % FPS decrease if you run the game inside container, compared to just running it regularly?

arno1OP9y ago

I haven't spotted the decrease. On the opposite, even some increase :-) (Or was that just a placebo effect? :) )

There actually shouldn't be any significant decrease since the Docker's overhead is negligible.

em3rgent0rdr9y ago

I use this on an otherwise free-software-only system (Parabola/Trisquel), since the only proprietary software I ever use is games, so I try as hard to isolate proprietary code as much as possible (without performance loss, which happens with VMs). This sort of goes with point "1. I want to set-up more fences when running the code I don't/can't trust;"

j / k navigate · click thread line to collapse

76 comments

58 comments · 16 top-level

castratikron9y ago· 9 in thread

Why would I want to do this?

neuropie9y ago

_asummers9y ago

Bug: https://github.com/valvesoftware/steam-for-linux/issues/3671

HN discussion: https://news.ycombinator.com/item?id=8896186

I regularly reference the # scary! comment at work.

aidenn09y ago

arno1OP9y ago

Yeah, one of the points which pushed me creating this image!

lisivka9y ago

Yeah, it is why we (Linux Users) hate proprietary software.

tormeh9y ago

vertex-four9y ago

arno1OP9y ago

aidenn09y ago

NixOS generates a FHS compliant chroot for steam to be installed to, so it can do whatever it wants in that playground.

fasterthanlime9y ago· 5 in thread

  * app isn't tied to / doesn't assume a Debian-ish distribution (we ship .deb, .rpm, a PKGBUILD, and a simple binary .tar.xz)
  * app uses firejail on Linux (sandbox-exec on macOS, different user on Windows) to "set up more fences around" games you download from the internet.

I don't want to spam links, but if you're interested in our approach, you can probably search "itch.io sandbox" with your favorite search engine and stumble upon it :)

arno1OP9y ago

Thanks @fasterthanlime !

Is there something that the firejail does better than the Docker?

I can see the firejail also uses the namespaces and seccomp-bpf.

fasterthanlime9y ago

I suspect that this question was covered in the HN entry for firejail earlier today: https://news.ycombinator.com/item?id=12239840 - but in our case, it's just that it's lighter.

zokier9y ago

arno1OP9y ago

mobiuscog9y ago

Does it also use AppContainer on Windows ?

notthemessiah9y ago· 5 in thread

ekianjo9y ago

Do you mind sharing how you did this in more details ? I am also not happy with the way Steam games put files in random locations...

notthemessiah9y ago

For PulseAudio: I needed to load a few modules that opened a TCP socket for myself between users (under TCP support with anonymous clients):

https://wiki.archlinux.org/index.php/PulseAudio/Examples#Pul...

Forgot exactly what I did with X11, but one part of it was having an environment variable that used my main users XAuthority

E.G. [gamer@mycomputer]$ echo $XAUTHORITY

/home/notthemessiah/.Xauthority

AckSyn9y ago

I did something similar by installing Steam to a chroot environment.

"Those who do not understand UNIX are condemned to reinvent it, poorly." -- Henry Spencer, programmer

This goes doubly for "containers" not understanding chroot/jails.

arno1OP9y ago

Well, there is a distinct difference between traditional chroot and the Linux control groups and namespaces.

If only chroot was enough, noone would be investing their time to the cgroups, namespaces, LXC, Docker, etc... :-)

jjnoakes9y ago

Are you suggesting that containers provide about what chroot provides?

Containers provide chroot-like behavior for more than just the filesystem. Processes, user IDs, network interfaces... Chroot is filesystem only.

cryptarch9y ago· 3 in thread

Is this meant to make uninstalling Steam easier than it is now?

Or is this an exercise in getting GUI applications with slightly exotic features (GPU access) to run?

I'd like to understand why this was made but it isn't described in the usage instructions.

arno1OP9y ago

I think it should be pretty obvious why people put things into containers :-)

Few main points though, which pushed me making this Docker container:

1. I want to set-up more fences when running the code I don't/can't trust;

2. I don't want to spend time on figuring out how to install Steam (what deps) in a non-Debian (or non-SteamOS) based distro;

3. I like cleanliness: I can erase Steam and all its dependencies in a matter of seconds;

4. Like you said, it was an interesting exercise and it still needs some polishing :-)

And few Pros from my PoV:

- I can have Steam on my Ubuntu/openSUSE/[put any other distro I will want to use] in a short time that Docker takes when downloads this Steam container;

- Since Steam is meant to run in Debian (SteamOS) based distro, it is not a problem anymore, since it is in a container now.

Gonzih9y ago

So you don't trust application code, but you trust image makers code?.

5 more replies

djsumdog9y ago

There's a Steam overlay in Gentoo, and it mostly works, but lately I've had a lot of issues with ATI's open source drivers and Steam, to the point where I just setup a windows machine for games.

This looks really promising though, and shows a practical use case for docker.

rlpb9y ago· 3 in thread

How does persistent state work with this? For example, what happens to my saved games? What if I update the image (for example to pick up a Steam update)? What will happen to those saved games?

arno1OP9y ago

Currently it is stored in a docker volume. (the data available at /var/lib/docker/volumes path)

But changing just one line in a docker-compose.yml file you can mount it wherever you want on your host. See "data:/home" in there.

You can write there "/home/your-user/mysteamdata:/home", so that all Steam games (caches, saves, ...) will be available for you at your home directory in "mysteamdata" directory ;-)

nostrebored9y ago

Mount volumes that correspond to save locations. The volume should be persistent so even if the image changes the data will remain.

rlpb9y ago

Aren't save locations different on a per-game basis? So does this need configuration? If not, then how does it work without user intervention?

1 more reply

voltagex_9y ago· 2 in thread

This is hardcoding driver versions: https://github.com/arno01/steam/blob/master/docker-compose.y...

Is there a better way?

arno1OP9y ago

I haven't come up with a better idea obviously. :-) Suggestions/PR's are greatly welcomed!

flx42_9y ago

At NVIDIA we maintain this utility: https://github.com/NVIDIA/nvidia-docker

It automatically discovers the devices and the right driver files on the host.

The main goal is compute (CUDA), but we also demonstrated how to run TF2 on Steam OS during our DockerCon 16 OpenForum presentation.

Nice job! :)

1 more reply

oDot9y ago· 2 in thread

Steam is exactly the kind of software that should be distributed using Flatpak[0].

[0] http://flatpak.org/

hobarrera9y ago

Sounds like an excellent plan to end up with outdated libraries and full of security holes.

appleflaxen9y ago

holy crap; that's cool! I had no idea it existed (maybe I came across it when it was still called xdg-apps... I definitely agree with the decision to change the name).

chrisper9y ago· 2 in thread

Why use docker instead of something like flatpak or snap?

snuxoll9y ago

arno1OP9y ago

Because Docker is enough and it does its job well? :-)

mastazi9y ago· 2 in thread

How is the GUI accessed? X11 socket sharing? Because I guess that for gaming both X11 over SSH and VNC would not perform very well...

arno1OP9y ago

The same way as every local application is accessing it, via a Unix domain socket /tmp/.X11-unix:/tmp/.X11-unix / DISPLAY=unix$DISPLAY :-)

This will give you a frame rate identical to your host, so there is no overhead running your 3D apps in the container.

Blaiz0r9y ago

Is there any overhead at all in using Steam (or anything) through Docker?

I'm not very familiar with using Docker.

1 more reply

shmerl9y ago· 2 in thread

I proposed the same idea for GOG and their Linux games a few years ago. At that time they didn't get the point.

ekianjo9y ago

They still don't, since they ask their Linux users to install tons of libraries on their own. Not that they really care about Linux anyway... (still not GOG Galaxy client...)

shmerl9y ago

marcosnils9y ago· 2 in thread

Been there, done that. Here's a video where I run Counter Strike through steam in a docker container.

https://youtu.be/ZHWsR8TnKsw?t=801

PS: Audio is in spanish.

arno1OP9y ago

I bet there are dozens or maybe even hundreds of people who run CS in a container. What, I believe, makes the difference is that when one shares with the reproducible results. :-)

marcosnils9y ago

The video I posted is a complete tech talk about how achieved it :)

1 more reply

lhlmgr9y ago· 2 in thread

Could this improve or worsen the VAC mechanism?

arno1OP9y ago

Then as discussed in this thread, it gives few security advantages, control benefits since those isolated resources are controllable.

lhlmgr9y ago

thanks a lot for this clarification!

ingenter9y ago· 1 in thread

arno1OP9y ago

@ingenter please refer to the docker-compose.yml file of the source repository.

To make pulseaudio work in a container, you basically want to pass these volumes from the host to a container:

- /etc/localtime:/etc/localtime:ro

- /etc/machine-id:/etc/machine-id:ro

- $XDG_RUNTIME_DIR/pulse:/run/user/1000/pulse

And then, this environment variable:

PULSE_SERVER=unix:$XDG_RUNTIME_DIR/pulse/native

skrowl9y ago· 1 in thread

How is the performance on this compared to a bare metal install?

IE how many FPS do you get with a native Steam install vs Dockerized Steam on the same hardware?

arno1OP9y ago

It's been already discussed in this thread. The performance impact should be negligible. I am having ~110-150 FPS with my nVidia 560 Ti in CS:GO , 1920x1080.

The precise testing haven't been done explicitly to measure increase/decrease. But feel free to test it. ;)

Hurtak9y ago· 1 in thread

How big is the % FPS decrease if you run the game inside container, compared to just running it regularly?

arno1OP9y ago

I haven't spotted the decrease. On the opposite, even some increase :-) (Or was that just a placebo effect? :) )

There actually shouldn't be any significant decrease since the Docker's overhead is negligible.

em3rgent0rdr9y ago

j / k navigate · click thread line to collapse