System:
Debian 13 KDE (actually MX Linux, but doesn't seem to matter)
Wayland (xwayland installed as well)
Docker 29.5.2
Dockerfile:
FROM debian:trixie
ENV DEBIAN_FRONTEND=noninteractive
ENV LANG=en_US.UTF-8
ENV LANGUAGE=en_US:en
ENV LC_ALL=en_US.UTF-8
# Set locale
RUN apt-get update && apt-get install -y --no-install-recommends \
locales && \
apt-get clean && \
sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
# Install Wayland-specific packages
RUN apt-get update && apt-get install -y --no-install-recommends \
dbus \
libwayland-client0 \
libwayland-egl1 && \
apt-get clean
# Install X-specific packages
RUN apt-get update && apt-get install -y --no-install-recommends \
dbus-x11 && \
apt-get clean
# Add contrib, default is only main
RUN sed -i 's/^Components:.*/Components: main contrib/g' /etc/apt/sources.list.d/debian.sources
# Add 32-bit arch for Steam libraries
RUN dpkg --add-architecture i386
# Install Steam
RUN apt-get update && apt-get install -y --no-install-recommends \
steam-installer \
pciutils && \
apt-get clean
# Additional
# TODO: What is really needed?
RUN apt-get update && apt-get install -y --no-install-recommends \
vulkan-tools \
mesa-utils \
x11-xserver-utils \
libvulkan1 \
mesa-vulkan-drivers && \
apt-get clean
# TODO: Does `-storebeta` even work?
# https://developer.valvesoftware.com/wiki/Command_line_options_(Steam)
CMD ["/usr/games/steam", "-storebeta"]
To run the container:
xhost +
sudo docker run -it --name steam \
-e XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR \
-e WAYLAND_DISPLAY=$WAYLAND_DISPLAY \
-v $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY \
-e DISPLAY=$DISPLAY \
-v /tmp/.X11-unix:/tmp/.X11-unix \
--privileged steam:trixie
(The --privileged part is only temporary until I found out which capabilities are actually needed. Please don't run your containers with --privileged.)
I get the GUI dialogs to download Steam just fine, so at least some display forwarding is working:
The installation works fine, but when starting Steam it seems like it's not able to find Vulkan devices and then doesn't open any Steam window. (The container is not stopping and I'm seeing repeated ./steamwebhelper output after this.)
[...]
Running query: 1 - GpuTopology
CVulkanTopology: failed create vulkan instance: -9
CVulkanTopology: failed to create vulkan instanceFailed to query vulkan gpu topology
Failed to query vulkan gpu topology
Response:
Exit code: -2
[...]
Vulkan missing requested extension 'VK_KHR_surface'.
Vulkan missing requested extension 'VK_KHR_xlib_surface'.
BInit - Unable to initialize Vulkan!
[...]
However, Vulkan is clearly working fine in the container, as this commands displays the cube rendering just fine:
$ sudo docker exec -it steam vkcube
Selected WSI platform: xcb
Selected GPU 0: AMD Radeon RX 550 / 550 Series (RADV POLARIS12), type: DiscreteGpu
(I've also tried it on another (pure) Debian machine with a 2080Ti, but I've got the same issue.)
I've created other GUI containers in the past (Firefox for example) and didn't have these problems.
Does anybody have an idea and can point me in the right direction?
Wouldn't it be a bit easier to use the Flatpak?
The entire point of Flatpak is to run Linux Software in a container.
In case you haven't noted, this isn't about ease of use. (Also Steam isn't verified on Flathub and I only use verified apps.)
I'm curious as to the reasoning behind wanting only verified apps. If Steam was verified, then that means Valve vouches for the security of the package. But if you're going to this level of sandboxing you presumably don't trust Valve enough to trust anything they say is secure.
I trust Valve not to exfiltrate my Steam credentials or account details (credit card number, home address). I wouldn't trust a third party with that.
Then create your own Flatpak or use Bubblewrap (that's what Flatpak uses under the hood). Along with OpenSnitch and some good DNS (I particularily recommend HaGeZi's server, and hBlock for hosts-level blocking) it should be (sufficiently) good.
Flatpak doesn't have digital signatures anyway, so effectively nothing is verified on Flathub
This is not true. Flatpak does sign the packages, after the build on their end, similar to what F-droid does.
Flatpak refuses to install unsigned apps by default.
Now, they don't have per developer digital signatures that would ensure that a program is directly from the developer. But those lowkey suck, those are for proprietary software where we can't do reproducible builds to ensure that the build matches the source code.
For proprietary apps, it's more difficult since often the build works by downloading the package, which can be a deb, an rpm, or a targz or etc and extracting it inside flatpak's build process. For example, steam does this.
So you would have to figure out how to make flatpak sign and verify each form of distribution that it is abstracting, in addition to actually getting the developers to sign their stuff.
If true that's somewhat disturbing, but I still care about verified publishers nonetheless..